Table of contents

URL format for the agent download

The agent software package can be downloaded from Workload Security using a well-defined URL format.

In most cases, use of the standard deployment scripts (which also use the same URL format to download the agent software) is the quickest way to get started and should meet the majority of your deployment requirements.

This URL format is useful if you require further customization for the download and install of agents. For example, in some cases it may be necessary to have the deployment scripts that run on each server point to a local storage location (such as AWS S3) rather than have each server contact Workload Security to download software. You can use this URL format to build your own automation to periodically download new agent versions to your local storage location, and then point the agent deployment scripts that run on each server to your local storage location to meet this objective.

Agent download URL format

The following is the URL format for downloading the agent:

https://<dsm fqdn>/software/agent/<platform>/<arch>/<agent version>/<filename>

<dsm fqdn> parameter

The <dsm fqdn> parameter is the fully-qualified domain name of Workload Security, which is app.deepsecurity.trendmicro.com. Workload Security can be used for testing any of the examples provided in this topic.

<filename> parameter

The <filename> parameter is the file name of the agent installer file. The file name is dependent on the installation process used by each platform:

Platform <filename>

Linux

Red Hat Enterprise Linux, CentOS, Oracle, CloudLinux, Amazon Linux, SUSE

agent.rpm

Linux

Debian, Ubuntu

agent.deb
Windows agent.msi
AIX agent.bff.gz
Solaris 11+ agent.p5p.gz
Solaris 10 or earlier agent.pkg.gz
macOS agent.pkg

Workload Security does not validate the file name itself; however, when a file name is specified, the extension must be one of .rpm, .msi, .deb, .gz. If any other file name is specified, the file name returned by Workload Security will always be one of the names provided in the preceding table.

<agent version> parameter

The <agent version> parameter is optional.

When this parameter is not specified, the latest LTS agent released by Trend Micro for the target platform is returned.

When this parameter is specified, this represents the agent version string. For example "12.0.0.123".

If your intent is to only use a specific version of the agent in a controlled environment, then explicitly adding the agent version to the URL accomplishes this goal.

When deploying agents at scale, it should be noted that adding the agent version in the URL (which hardcodes this agent version into every script you distribute) can create challenges for security operations teams distributing scripts to many applications teams.

Consider the process needed when the time comes to use a newer version of the agent. If the <agent version> is hardcoded in each script you distribute, each of these scripts requires an update to start using the new agent version. If you have many internal application teams, the process to request changes to each one of these scripts in use can be significant.

Workload Security provides two options to deal with this challenge:

  • Use scripts that omit the <agent version> component from the path. The latest LTS agent meets your requirements, this is the most straightforward option to use.

  • Use agent version control which allows the Workload Security administrator to select on a per-platform basis exactly which agent version is returned from Workload Security. For more information, see Using agent version control to define which agent version is returned.

<platform>, <arch>, and <filename> parameters

The <platform>, <arch>, and <filename> parameters should be replaced with the strings listed in the following table.

Note that <platform> and <arch> are case-sensitive.

Platform Distribution <platform> <arch> <filename> Example
Linux Amazon 1 amzn1 x86_64 agent.rpm /software/agent/amzn1/x86_64/agent.rpm
  Amazon 2 amzn2 x86_64 agent.rpm /software/agent/amzn2/x86_64/agent.rpm
  CloudLinux 6 CloudLinux_6 x86_64 agent.rpm /software/agent/CloudLinux_6/x86_64/agent.rpm
  CloudLinux 7 CloudLinux_7 x86_64 agent.rpm /software/agent/CloudLinux_7/x86_64/agent.rpm
  CloudLinux 8 CloudLinux_8 x86_64 agent.rpm /software/agent/CloudLinux_8/x86_64/agent.rpm
  Debian 7 Debian_7 x86_64 agent.deb /software/agent/Debian_7/x86_64/agent.deb
  Debian 8 Debian_8 x86_64 agent.deb /software/agent/Debian_8/x86_64/agent.deb
  Debian 9 Debian_9 x86_64 agent.deb /software/agent/Debian_9/x86_64/agent.deb
  Oracle Linux 6 Oracle_OL6 x86_64 agent.rpm /software/agent/Oracle_OL6/x86_64/agent.rpm
  Oracle Linux 6 Oracle_OL6 i386 agent.rpm /software/agent/Oracle_OL6/i386/agent.rpm
  Oracle Linux 7 Oracle_OL7 x86_64 agent.rpm /software/agent/Oracle_OL7/x86_64/agent.rpm
  RedHat 6 RedHat_EL6 x86_64 agent.rpm /software/agent/RedHat_EL6/x86_64/agent.rpm
  RedHat 6 RedHat_EL6 i386 agent.rpm /software/agent/RedHat_EL6/i386/agent.rpm
  RedHat 7 RedHat_EL7 x86_64 agent.rpm /software/agent/RedHat_EL7/x86_64/agent.rpm
  RedHat 8 RedHat_EL8 x86_64 agent.rpm /software/agent/RedHat_EL8/x86_64/agent.rpm
  SuSE 11 SuSE_11 x86_64 agent.rpm /software/agent/SuSE_11/x86_64/agent.rpm
  SuSE 11 SuSE_11 i386 agent.rpm /software/agent/SuSE_11/i386/agent.rpm
  SuSE 12 SuSE_12 x86_64 agent.rpm /software/agent/SuSE_12/x86_64/agent.rpm
  SuSE 15 SuSE_15 x86_64 agent.rpm /software/agent/SuSE_15/x86_64/agent.rpm
  Ubuntu 16.04 Ubuntu_16.04 x86_64 agent.deb /software/agent/Ubuntu_16.04/x86_64/agent.deb
  Ubuntu 18.04 Ubuntu_18.04 x86_64 agent.deb /software/agent/Ubuntu_18.04/x86_64/agent.deb
Windows   Windows x86_64 agent.msi /software/agent/Windows/x86_64/agent.msi
    Windows i386 agent.msi /software/agent/Windows/i386/agent.msi
Unix Solaris 10 Updates 4-6 Solaris_5.10_U5 x86_64 agent.pkg.gz /software/agent/Solaris_5.10_U5/x86_64/agent.pkg.gz
    Solaris_5.10_U5 sparc agent.pkg.gz /software/agent/Solaris_5.10_U5/sparc/agent.pkg.gz
  Solaris 10 Updates 7-11 Solaris_5.10_U7 x86_64 agent.pkg.gz /software/agent/Solaris_5.10_U7/x86_64/agent.pkg.gz
    Solaris_5.10_U7 sparc agent.pkg.gz /software/agent/Solaris_5.10_U7/sparc/agent.pkg.gz
  Solaris 11 Updates 1-3 Solaris_5.11 x86_64 agent.p5p.gz /software/agent/Solaris_5.11/x86_64/agent.p5p.gz
    Solaris_5.11 sparc agent.p5p.gz /software/agent/Solaris_5.11/sparc/agent.p5p.gz
  Solaris 11 Update 4 Solaris_5.11_U4 x86_64 agent.p5p.gz /software/agent/Solaris_5.11_U4/x86_64/agent.p5p.gz
    Solaris_5.11_U4 sparc agent.p5p.gz /software/agent/Solaris_5.11_U4/sparc/agent.p5p.gz
  AIX 5.3 (Agent version 9.0) AIX_5.3 powerpc agent.bff.gz /software/agent/AIX_5.3/powerpc/agent.bff.gz
  AIX 6.1 (Agent version 9.0) AIX_6.1 powerpc agent.bff.gz /software/agent/AIX_6.1/powerpc/agent.bff.gz
  AIX 7.1, 7.2 (Agent version 9.0) AIX_7.1 powerpc agent.bff.gz /software/agent/AIX_7.1/powerpc/agent.bff.gz
  AIX 6.1, 7.1, 7.2 (Agent version 12 +) AIX powerpc agent.bff.gz /software/agent/AIX/powerpc/agent.bff.gz
macOS 10.15 macOS universal agent.pkg /software/agent/macOS/universal/agent.pkg
  11 macOS universal agent.pkg /software/agent/macOS/universal/agent.pkg
  12 macOS universal agent.pkg /software/agent/macOS/universal/agent.pkg

Agent download URL examples

Without <agent version>:

  • https://app.deepsecurity.trendmicro.com/software/agent/RedHat_EL7/x86_64/agent.rpm
  • https://app.deepsecurity.trendmicro.com/software/agent/Windows/x86_64/agent.msi

With <agent version>:

  • https://app.deepsecurity.trendmicro.com/software/agent/RedHat_EL7/x86_64/12.0.0.481/agent.rpm
  • https://app.deepsecurity.trendmicro.com/software/agent/Windows/x86_64/12.0.0.481/agent.msi

Exceptions for backwards compatibility

If <filename> is not provided after [...]/<platform>/<arch>/, Workload Security returns the agent download for that platform as described in the previous table.

If the path ends at [...]<platform>/<arch> (because both <agent version> and <filename> were not specified), Workload Security returns the agent download for that platform as described in the previous table.

Examples:

  • https://app.deepsecurity.trendmicro.com/software/agent/RedHat_EL7/x86_64/
  • https://app.deepsecurity.trendmicro.com/software/agent/Windows/x86_64

Agent version control

The agent version control allows you to specify which agents are returned when any URL request is made to Workload Security to download the agent.

To enable agent version control, send the following HTTP header with your URL request:

Agent-Version-Control: on

The following table provides details on the specific query parameters required on each platform to use agent version control:

Platform Required query parameters Example
Windows tenantID, windowsVersion, windowsProductType /software/agent/Windows/x86_64/agent.msi?tenantID=123&windowsVersion=10.0.17134&windowsProductType=3
Linux tenantID /software/agent/RedHat_EL7/x86_64/agent.rpm?tenantID=123
Solaris tenantID /software/agent/Solaris_5.11_U4/x86_64/agent.p5p.gz?tenantID=123
AIX tenantID, aixVersion, aixRelease /software/agent/AIX/powerpc/agent.bff.gz?tenantID=123&aixVersion=7&aixRelease=1
macOS tenantID.macOsVersion /software/agent/macOS/universal/agent.pkg?tenantID=123&macOS=10.15.1.20G71&

These parameters are automatically generated by the deployment scripts.

For examples of how to use agent version control, refer to the sample deployment script generated from Workload Security. By default, the deployment scripts generated by Workload Security use agent version control and demonstrate how to acquire these parameters for each platform.

Interactions between the parameter and agent version control

Given that the intent of the agent version control is to provide the Workload Security administrator control over which agent version is returned, there is a natural conflict with a URL request that also includes the <agent version> parameter.

For this reason you should not specify the <agent version> as part of your request when sending the Agent-Version-Control: on HTTP header.

If there are both the Agent-Version-Control: on HTTP header and the <agent version> parameter in the request, the version of the agent returned is determined by the value taken from the agent version control configuration. The <agent version> parameter is ignored in the URL.