Identify the known issues that you may encounter when installing and using Deep Security 10.0. Note that this list excludes the issues from the previous Deep Security versions.
Below are the issues for the following Deep Security components:
- Deep Security 9.6 SP1 and earlier versions use RSA-1024 and SHA-1 for secure communication between the Deep Security Manager and Deep Security Agents. By default, Deep Security 10.0 uses RSA-2048 and SHA-256, which are more secure algorithms.
A fresh installation of Deep Security 10.0 will use RSA-2048 and SHA-256. However, if you upgrade from a previous version to Deep Security 10.0, it will continue to use the earlier cryptographic algorithms unless you update the algorithm separately. Follow the instructions from this Help Center article: Upgrade the Deep Security cryptographic algorithm.
- When using a policy with enabled SAP but its license has expired, the SAP Policy will still appear as activated on the Deep Security Manager console. However, the policy sent to the agents will have SAP turned off. This is because SAP with expired license will not run on an agent.
- Take extra caution on manually adding a zip file to Local folder under Administration > Software. If the original filename based on the Download Center is not maintained, it will not properly deploy to Agents. For example, downloading a second copy of an Agent file can result in a file named Agent-amzn1-9.6.2-7690.i386 (1).zip, which is not the same as the original.
- In Application Control, the drift number and button for Allow All or Block All under the Action tab does not reflect the last executed state after you switched to any other page. The information displayed on the Action tab page will depend on how many unrecognized software items are being allowed or blocked by the current action. If there are too many unrecognized software items, then the page will take longer to be updated.
- Upgrading to Deep Security 10.0 with an Oracle 12c Database is not supported in a multi-tenant deployment.
- Using Windows 10 Edge as your browser for DSM may show certificate errors. Microsoft Edge is a web browser included in Windows 10 2016 operation systems. Unlike IE, the Edge browser does not have a configuration option for Trusted Sites which allows the user to add websites (e.g. DSM URL). However, administrators can still add the DSM URL to the list of trusted sites from the Control Panel (Control Panel > Network and Internet > Internet Options > Security).
- When using Connected Threat Defense and submitting a quarantined file containing multiple infected files to Deep Discovery Analyzer (DDAn), DDAn may not be able to unpack it for submission or analysis. During this scenario, the DSM does not allow the file to be submitted and the Submit to DDAn button will be disabled when the user selects quarantined spyware with multiple detections.
- When the DSM re-registers to Control Manager (TMCM), all DSM log index (e.g. anti-malware, firewall, and file hash detection log) will be reset and the logs are sent again to TMCM. This may cause duplicate logs in TMCM.
- When using TMCM with a local Smart Protection Server (SPS) for the Connected Threat Defense feature, Deep Security will not only take the action according to Web Reputation Services (WRS) features, but also take action according to TMCM or local SPS (Log or Block for a URL). However, Deep Security blocking page and events still show the risk information instead of the specific action or category details for this.
Below are some examples:
- Some pages rated with "Suspicious" Risk Level are blocked when user’s setting of Web Reputation Security Level is Medium to block Dangerous and Highly Suspicious pages.
- Some WRS events are log events instead of block events. Thus, user cannot tell which is log event in the DSM WRS event pages. To clearly identify the event, user needs to login to TMCM to view the WRS events with action/reason details.
- When using Deep Security Scanner (SAP for Windows) and a file extension does not match the MIME Type set on the SAP WinGUI, the scan will proceed but will eventually fail, and a "Rule Violation" error will be displayed.
- A virtual machine (VM) is added through vCloud connector. After vMotion from a protected ESXi host to an unprotected ESXi host, the virtual machine will not change from Combined Mode to Agent-Only Protection.
On the other hand, if the virtual machine is vMotioned from unprotected ESXi host to a protected ESXi host, the virtual machine will not change from Agent-Only Protection to Combined Mode.
- When using Deep Security Scanner (SAP for Windows) and the block MIME Type is set to application (or ZIP files) on the SAP WinGUI, the scan will proceed but will not immediately block the ZIP file immediately. It will take some time to return the result if the ZIP file is large.
- When exporting a security policy to an XML file, the inherited settings are not included in the XML file. For example, if a user exports a policy whose AM configurations are inherited and then import the XML file policy into another DSM, the imported policy's AM configuration will be empty. As a workaround, assign a parent to the imported policy.
- In Deep Security 10.0, the DSM can correctly show IM event details according to the current user's timezone setting. However, the Installed Date is not handled in this fix due to OS limitations. For example, this value is not available in SunOS. In Microsoft Windows, the system only provides date (YYYY-MM-DD) without the time (HH:MM:SS).
The possible values of Installed Date are:
- Jan 02 1970 12:00 (hard-coded, SunOS)
- YYYY-MM-DD (only the date, MS Windows)
- YYYY-MM-DD hh:mm:ss (endpoint's local time without timezone)
- When using TMCM 6.0 SP3, a user-defined Suspicious Object does not have a filter CRC value. Therefore, Deep Security cannot detect or block this type of file.
- Deep Security Online Help Search does not support special characters (e.g. !, #, and %).
- When using the Discover Computers feature to find computers by IP Range, some false positives may be detected. This issue is caused by a defect in the bundled JRE 1.8u102 and will be fixed in the next Deep Security release.
- In Connected Threat Defense, the Submission Progress field of Quarantined/Backup file table may show "Report Unavailable" because Deep Security cannot get the analysis result from DDAn for the submission over one day. Deep Security will no longer wait for the result of this submission. The user will have to choose the Quarantined/Backup file event and click Submit to DDAn to manually send the file to DDAn. Afterwards, DSM will submit the file, reset the submission date, and wait for DDAn analysis result again.
- Support for the Docker Overlay Network driver will be introduced in the next Deep Security release.
- If SOAP API is being used in previous versions of Deep Security, WSDL file on the client side needs to be updated after upgrading the DSM to version 10.0 for proper exception handling. The WSDL file is available under the Administration > System Settings > Advanced Page > SOAP Web Service API section.
- A notification showing "Refresh" appears on the user interface after reverting an action in Application Control.
- When copying Smart folders, their sub-folders are not copied. Duplicating a multi-level Smart folder only duplicates the original folder and not the children under it.
- Users with View Only rights for computers can see the gear icon for modifying a Smart folder. However, clicking the gear icon does not work. The gear should be hidden if the user does not have permission to use it.
- Using a Safari browser, the Filter Search option in Application Control under the Action tab only works once. Afterwards, you need to select another tab and click back to do another search. The issue does not occur in Chrome, Firefox, and IE 11.
- When viewing Application Control drift events using the time-based histogram, there is a known boundary issue. Selecting the detailed histogram view may not show some events from the high-level view to the expanded view. As a workaround, adjust the time filter at the top of the histogram expanded view to properly display the drift events.
- Oracle Container Database (CDB) is not supported with Deep Security Manager multi-tenancy.
- Application Control has been designed for relatively stable server environments as a security control, where unplanned changes on a computer are indicator of compromise. Deep Security limits the amount of unreviewed software change that it tracks for each computer. If the number of unreviewed software changes for a computer exceeds 50,000 items, the computer will report an "Unresolved software change limit reached" error on that host, a system event will be logged, an alert will be raised, and the unreviewed software changes for that computer will be removed from the Deep Security Manager database. The Application Controltab on the Computer Details page will also show a banner describing the problem. The application control policy in effect on the computer will continue to be applied, and any existing rules will continue to be enforced.
Below are some limitations:
- If the unreviewed software change exceeding the limit for an individual computer already exists in the database when it is upgraded, the error will not be raised until the next unreviewed software change is reported by the computer.
- If an administrator reverts a software change review decision and doing so causes the unreviewed software change to exceed the limit for an individual computer, the error will not be raised until the next unreviewed software change is reported by the computer.
- Solaris 10u5 is not supported in Deep Security 10.0. Users using Solaris 10u5 and u6 are affected and cannot upgrade to DSA 10.0 directly. We recommend either staying at DSA 9.6, or upgrading to Solaris 10u7+. Please refer to the Oracle's documentations.
- When the Linux kernel on the Agent host is updated to unsupported version, the DSA driver for Web Reputation, Anti-Malware, and Intrusion Prevention modules will not be loaded. In addition, the modules will appear as offline on the DSM console. However, the Web Reputation module is still shown as online.
- When you have a fresh installation of Anti-Malware Protection Module on DSA running on Windows 2016, the Windows Defender service will be stopped and it requires a reboot. Afterwards, changing the computer's policy to disable and re-enable the anti-malware will not show the pop-up message. It is strongly recommended to reboot the Windows Server 2016 when the Windows Defender service is stopped by the DSA Anti-Malware Policy.
- Microsoft SQL Server database may experience high CPU on an environment with large number of computers and enabled Integrity Monitoring. To resolve the issue, maintenance on the Entity table should be done using the "EXEC sp_updatestats" command.
- Currently, you cannot specify the path within containers when defining policy for the inclusion or exclusion lists for Anti-Malware.
- Windows XP Embedded is an unsupported DSA platform in this version. Customers running Windows XP Embedded should continue to use the latest Deep Security Agent 9.6 SP1.
- When you upgrade DSA with Anti-Malware policy assigned to version 10.0, it may successfully upgrade but the AMSP version still remains at version 2.6.x. This happens in Windows XP, Vista, Windows 2003 Server, and Windows Server 2008 operating in an environment without Internet connection. The computer status on the DSM and DSA Notifier will show "Anti-Malware Offline", and the following error message is generated:
Anti-Malware Windows Platform Update Failed. This is because the Trusted Root Certificate cannot be verified without an Internet connection.
To troubleshoot the issue:
- Do not attempt to uninstall the DSA. If you already tried this and the AM module could not be removed, re-install the original version of the Agent before proceeding. To find the version of your previous DSA, log in to the DSM console and search "Update: Summary Information" under the Computer Events.
- Reactivate the DSA from the DSM console. The DSA should return to "Managed (Online)" status.
- Obtain and import the VeriSign Class 3 Public Primary Certification Authority - G5 certificate.
- Do not attempt to uninstall the DSA. If you already tried this and the AM module could not be removed, re-install the original version of the Agent before proceeding.
- Anti-Malware endpoint correlation on Windows does not generate hash values. Below are some known issues and limitations of hash value feature:
- Spyware multiple detection will not have hash values.
- For the detected Trojan file specific clean (specific pattern to multiple files), only the first event will have hash value and the following events will not.
- Endpoint Correlation detection does not generate hash value.
- Windows XP SP2 does not support SHA256 and Deep Security AMSP will not have SHA256 value.
- Anti-exploit may calculate the hash values of victim file instead of malware file.
- Anti-Malware Memory Scan is not supported on Windows XP and Windows 2003 x64 platforms.
- When using Application Control and the existing rule set is large, it can take several minutes to enforce the action on the Agent protecting the computer.
- After changing from Combined Mode to Agentless Mode, computers will not be displayed in the TMCM console. The display in the DSM console will not be affected. As a workaround:
- Manually uninstall the DSA from the computer and do not deactivate the Agent.
- Install the DSA back into this computer.
- Activate the Agent back to Combined Mode.
- With the SAP module enabled and Netweaver running on the same host, Real-Time Scan detection of malicious file will be reported twice. To prevent this, add the Netweaver GUI process path (e.g. C:\Program Files (x86)\SAP\FrontEnd\SAPgui\saplogon.exe) to the AM Real-Time Scan exclusion list.
- When a new policy enables or disables the Smart Scan while the AMSP service is still starting up, it will return the following warning message:
Security Update: Pattern Update on Agents/Appliances FailedThe AMSP is still active even with the warning. Administrator needs to manually clear the warning since DSM will not automatically remove it.
- The DSA may show some Clean Failed (Delete Failed) events when a virus is detected during a network folder scan. This happens when the Network Directory Scan function is enabled in the Real-Time Scan configuration. The scenario is caused by the OS behavior when accessing network files on Windows 7 platforms only.
- DSA may fail to upgrade while Windows Process Explorer tool is running on the DSA machine. This issue is isolated to the following conditions only:
- An administrator is not logged in to the DSA computer.
- UAC (User Access Control) is enabled on the DSA computer.
- Process Explorer tool is running with no administrator account.
- When a user disables the Scanner functionality and then enables the Relay after assigning a Scanner "On" policy, both the Scanner icon and the Relay icon will still be shown in the Computer details page. This happens because of the delay in display.
- In this release, Linux and Solaris Agents do not drop ARP packets anymore. All ARP packets dropped by previous agents will only be logged in DSA 10.0 or newer versions. The behavior of the Windows Agent remains unchanged.
- When using Anti-Malware with Connected Threat Defense, there may be two (2) pass/deny access/log events if the Defer Scan is enabled. This occurs because there is a file write event which is deferred but then scanned immediately. There is also another file open/create event of the same file simultaneously (e.g. copying a file using explorer will generate a file write event and a file open/create event). As a workaround, turn off the Defer Scan.
- Users should only run one (1) Trend Micro Anti-Malware module on a protected computer. When Deep Security Agent is to be deployed, administrators should ensure that other Trend Micro products such as OfficeScan or Endpoint Sensor are uninstalled. If the DSA Anti-Malware module goes offline because another product is installed, remove OfficeScan or Endpoint Sensor and reinstall the DSA.
- When using Deep Security Scanner (SAP for Windows) to successfully scan and block MIME types for graphics files (e.g. jpg, bmp and gif) on the SAP WinGUI, administrators should enable the configuration parameter SCANBESTEFFORT.
- When upgrading from Deep Security Agent 9.6 SP1 Patch 1 U5 with Anti-Malware enabled to DSA 10.0, a reboot will be required to complete the upgrade. This happens on DSA running on Windows 8, Windows 8.1, Windows 10, Windows 10 TH2, Windows 10 RS1, Windows 2012, Windows 2012 R2, or Windows 2016. The same issue may occur when upgrading from other earlier versions of DSA. Event showing "A computer reboot required" will appear on the DSM and a pop-up notification on the host will show.
- In the Notification Area Icons settings under Control Panel, the Deep Security Notifier will remain listed even after uninstalling Deep Security. This is a known issue in Windows that also affects other products.
- Full Windows administrative privileges are required to install the Agent to a non-default installation path.
- When using Deep Security Scanner (SAP for Windows) and the file to be scanned exceeds the DSM scan size limitation, a "Skip file" error will be returned instead of an "Extracted file size exceeded the limit" error.
- When using Deep Security Scanner (SAP for Windows), there is a difference in compressed files scan behavior between .zip and .sar file types. If the file to be scanned is a .sar file and the extracted file is larger than the Scan Limit configured on the DSM, the scan will be skipped. For .zip files, the scan will be completed as long as the extracted scanned file is smaller than the Extract size configured through the SAP profile.
- There is no threshold limitation on the local DSA database size when in Application Control Maintenance Mode. Currently, there is no method of pruning.
- When uninstalling Deep Security Agent on Solaris 11, the following warning message will appear:
The following unexpected or editable files and directories were salvaged while executing the requested package operation; they have been moved to the displayed location in the image.This issue happens because the Solaris Image Packaging System (IPS) has removed the capability of packages to remove plug-ins and temporary files. Users can safely ignore the message and remove these files manually.
- In some circumstances, the Windows DSA uninstallation process may hang if there are quarantined files on the system.
- The Deep Security Notifier icon may sometimes disappear on Windows 10.
- After DSA is upgraded, the warning "Applying Application Control Ruleset Failed Verification" may unexpectedly appear. As a workaround:
- Cancel the uninstallation.
- Delete quarantined files manually. Quarantined files are stored at the following locations:
- Vista and above: C:\ProgramData\Trend Micro\AMSP\quarantine
- XP: C:\Documents and Settings\All Users\Application Data\\AMSP\quarantine
- Uninstall the DSA.
- If DSVA is configured in Agent-Initiated mode, user cannot successfully activate the guest agents using the Deep Security Manager web console. A "Protocol error" appears on the web console. The best practice for deploying DSVA is using the bi-directional mode.
- In an agentless environment with a guest VM running on Windows 2008 R2 64-bit and protected by DSVA, the SAP Configuration page will display "Platform not supported".