Agent settings

Deep Security Agent-related settings are located on Administration > System Settings > Agents. They include the following.

You can automate agent-related system setting changes using the Workload Security API. For examples, see Configure Policy, Computer, and System Settings.

Agent-initiated activation (AIA)

In addition to activating new agents in Workload Security (such as via a cloud connector or manually adding a new computer on Computers), but you can also (or instead) allow agents to automatically activate themselves. See also Activate and protect agents using agent-initiated activation and communication.

Allow Agent-Initiated Activation: Allow agents to connect to Workload Security to activate themselves. Then select which computers are allowed to perform agent-initiated activation.

  • For Any Computers: Any computer, whether it is already listed on Computers or not.
  • For Existing Computers: Only computers already listed on Computers.
  • For Computers on the following IP List: Only computers whose IP address has a match on the specified IP list.

Also configure initiation behavior:

  • Policy to assign (if Policy not assigned by activation script): Security policy to assign to the computer during activation. This setting only applies if no policy is specified in the agent's activation script or an AIA event-based task.
  • Allow Agent to specify hostname: Allow the agent to specify its hostname by providing it to Workload Security during activation.
  • If a computer with the same name already exists: How to handle the activation attempt if the new computer is trying to use the same agent GUID or certificate as an existing computer:

    • Do not allow activation: Don't activate the computer.
    • Activate a new Computer with the same name: Using a new name, create a new computer object and activate the computer.
    • Re-activate the existing Computer: Keeping the same name, reuse the existing computer object and activate the computer.

    This setting only applies to physical computers, Azure virtual machiness (VMs), Google Cloud Platform (GCP) VMs, or VMware VMs. (AWS provides a unique instance ID that Workload Security uses to differentiate all AWS instances, so this setting is ignored for those computers.)

  • Reactivate cloned Agents: Reactivate clones as new computers; assign the the policy selected in Policy to assign (if Policy not assigned by activation script). This can be useful when re-imaging computer hard disks, or deploying new VM instances or AMI, using a "golden image" that has an already-activated Deep Security Agent. It ensures that each computer has a unique agent GUID, despite being deployed by copying the same software image.

    Clones are detected after the initial activation, during their first heartbeat. If the same agent GUID is being used on different computers, Workload Security detects the clones and reactivates those computers.

    If you disable this option, clones will not be automatically reactivated. You'll need to activate them either manually through the Workload Security console or via an activation script.

    This setting only applies to AWS instances, Azure virtual machines (VMs), Google Cloud Platform (GCP) VMs, or VMware VMs that you added via Computers > Add Account.

  • Reactivate unknown Agents: Reactivate deleted (but previously activated) computers as new computers if they connect again; do not assign the original computer's assigned policies or rules. This setting is useful together with inactive agent cleanup: any accidentally removed computers can automatically re-activate. See also Automate offline computer removal with inactive agent cleanup.

    Previously known agents are detected after the initial activation, during their next heartbeat. If a heartbeat has an agent GUID (indicating prior activation) but its computer is not currently listed on Computers, Workload Security reactivates the computer.

    Previous event messages will still link to the old computer object, not this new one.

Agent Upgrade

Automatically upgrade agents on activation: During activation, upgrade Deep Security Agent to the latest software version that's compatible with Workload Security. Linux computers only. See also Automatically upgrade agents on activation.

Inactive Agent Cleanup

If you have many offline computers (that is, they are not communicating with Workload Security), and they don't need to manage them anymore, you can automatically remove them from Computers via inactive agent cleanup. This setting is useful together with reactivating currently unknown agents. See also Automate offline computer removal with inactive agent cleanup.

Delete Agents that have been inactive for: How much time a computer must be inactive in order to be removed.

Data Privacy

Allow packet data capture in network events: This setting determines whether the agent captures and sends packet data to Workload Security as part of Intrusion Prevention and Firewall events. The options for this setting are:

  • Yes (excluding encrypted traffic): This is the default option. All unencrypted packet data is sent to Workload Security.
  • Yes (all traffic): All packet data is sent to Workload Security, including encrypted packet data. The resource requirements for capture of packet data on encrypted connections is higher than for unencrypted connections. If you select this option and encounter problems with performance on your workloads, consider switching to the option that excludes encrypted traffic.
  • No: Packet data is not captured or transmitted from the agent to Workload Security. Customers in regulated environments or who are concerned about the transmission of network content to Workload Security can disable this setting. For more information about data transmitted to Workload Security, see the Trend Micro Cloud One - Workload Security Data Collection Notice.

This feature is supported with Deep Security Agent 12.5.0.1001 or later.