Identify the known issues that you may encounter in Deep Security 10.2.
Deep Security Manager
- When Application Control and Anti-Malware are enabled before upgrading, the Deep Security Manager may temporarily show that the Application Control module is offline after the upgrade.
- After upgrading to Deep Security Agent 10.2, the Security Update Status for the agent may change from "Up-to-Date" to "Out-of-Date" due to a synchronization issue with the Trend Micro ActiveUpdate Server. To fix this, trigger a security update for the agent.
- Due to a known issue with the VMware EPSec API, an advanced threat detection (machine learning) query will be initiated again when deleting files and moving them to the recycle bin. This makes the deletion process slower. It only happens for soft-deletes, which means moving the files to the recycle bin. If a user chooses to directly delete the files from hard disk (hard-delete), the issue will not happen.
- If you are using PostgreSQL as your Deep Security database, prior to upgrading to Deep Security Manager 10.2, check if the communication between the Deep Security Manager and PostgreSQL database is encrypted. Note that this is disabled by default and would have been manually configured.
To check this, verify whether the Deep Security Manager\webclient\webapps\ROOT\WEB-INF\dsm.properties file contains the line below:
If it exists, disable the encryption by deleting the line and restarting the Deep Security Manager service before upgrading. Add the line back after the upgrade. Failure to disable the encryption will cause the upgrade to fail.
For more information on how to set up the encryption on a PostgreSQL database, refer to this article: Encrypt communication between the Deep Security Manager and the database.
- When using a Deep Security Virtual Appliance deployed in an NSX environment, after turning on a protection module, applying a rule to a protected virtual machine, and switching between protection module tabs in Deep Security Manager, the status may display "Not Activated" for a brief time before correctly displaying the correct state (e.g "On, 1 rule").
- When using advanced threat detection (machine learning), the folder scan exclusion setting does not support the use of the wildcard (*) character.
Deep Security Agent
- Advanced Threat Detection (Machine Learning) does not work when a Deep Security Agent is using a proxy with IPv6 IP format. Please set the IPv6 host name format in the proxy setting for the policy.
- Advanced Threat Detection (Machine Learning) does not detect threats on USB storage devices on Windows 7.
- Windows XP and Windows Vista 32-bit Agents are not supported in Deep Security 10.2. When upgrading from a Deep Security 10.1 32-bit Windows Agent that already has an application control policy enabled, the upgrade will fail because the application control components are not available in Deep Security 10.2.
As a workaround:
- In Deep Security Manager, disable the application control for the agents that need to be upgraded to version 10.2.
- As a user with the appropriate administrative access, remove the application control security module component files from the agent installation folder. On Windows, the installation folder is typically c:\Program Files\Trend Micro\Deep Security Agent. You will need to remove the following:
- <installation folder>/dep/ac.deplua
- <installation folder>/lib/ac.dll
- <installation folder>/ext/ac.dse
- <installation folder>/ext/ac.dse.version
- Restart the agent software by restarting the agent node.
- Upgrade the agent package to Deep Security Agent 10.2. Once the agent has been upgraded to version 10.2, this procedure will not be required for future upgrades beyond Deep Security 10.2.
Deep Security Virtual Appliance
- If the Deep Security Virtual Appliance package has not been downloaded and imported into Deep Security Manager, software plug-in patches (DSP files) will no be automatically imported into the appliance package when available.
As a workaround, import the patch package first before upgrading the appliance package to a newer version. Otherwise, "Event 710 (.dsp xxx patch package is not found)" will be displayed in the Deep Security Manager system events.
- When deploying the Deep Security Virtual Appliance from the NSX Manager IP Pool using IPv6, the IPv6 will be disabled and not assigned to the NIC.
- Deep Security 10.2 is a feature release in preparation for Deep Security 11.0 and has similar platform requirements to 11.0. The Deep Security Manager 10.2 installer blocks the upgrades from Deep Security 9.5, including 9.5 versions of the Deep Security Manager, Deep Security Agent, Relay, and Deep Security Virtual Appliance. You can upgrade from Deep Security 9.5 to 9.6 and then to version 10.2. Additionally, Deep Security Agent 8.0 for Windows 2000 is not supported with Deep Security Manager 10.2.
- Deep Security Manager 10.1 and later no longer supports TLS 1.0 and 1.1 on port 4119. Older deployed relays (any version before 9.6 SP1 Patch 1, 9.6.2-6400) will fail to get software packages from the manager for distribution. To avoid having non-functional relays after the manager upgrade, the upgrade readiness check marks the older relays as not supported. Customers should upgrade the relays first before upgrading Deep Security Manager.