Table of contents

Upgrade the agent

Software upgrades can be initiated through Workload Security or a third-party deployment system.

Before you begin an upgrade

Before you begin an agent upgrade:

  1. Check that you're upgrading from a supported version. You can upgrade to the latest version 20 agent from:
    • Deep Security Agent 11 LTS (GA version or LTS updates)
    • Deep Security Agent 12 LTS (GA version or LTS updates)
    • Deep Security Agent 12 Feature Releases
  2. Back up the agent computers that you plan to upgrade. Make a system restore point or VM snapshot of each agent.
  3. If you have set up the local Deep Security Relay servers, please upgrade all relays. See Upgrade the relay.

    You must upgrade all relays before you begin upgrading agents, otherwise, upgrades may fail.

    When you upgrade the agent, Workload Security verifies your signature on the agent to ensure that the software files have not changed since the time of signing. For more information, see Agent package integrity check.

  4. Next, review the platform-specific notes below and complete any advised tasks:

    • Linux agent upgrade notes:

      • Before upgrading the agent on a Linux platform, confirm the OS kernel is supported by the latest version of the agent. See Agent Linux kernel support..
    • Windows agent upgrade notes:

      • Immediately after upgrading version 12 or later of the agent on Windows with Anti-Malware enabled, be aware that the Anti-Malware engine may appear as 'Offline'. The engine will return to the 'online' state after the first heartbeat following the upgrade.
    • Solaris agent upgrade notes:

      • On Solaris 11, if you are upgrading from agent version 9.0, you must first upgrade to agent version 9.0.0-5616 or a later and from there, upgrade to agent version 11.0. If you upgrade from an earlier build, the agent may fail to start. If this problem occurs, see Fix the upgrade issue on Solaris 11.
      • An upgrade on Solaris may take five minutes or longer to complete in some cases.
    • AIX agent upgrade notes:

      • There are not upgrade notes for AIX at this time.

You are now ready to upgrade your agent.

Upgrade the agent starting from an alert

When a new agent software version is available, a message appears on Alerts.

Alert message stating new agent version is available

  1. In the alert, click Show Details and then click View all out-of-date computers. Computers appears, displaying all computers where Software Update Status is Out-of-Date. What is considered out-of-date is determined by version control rules you have set up. For details, see Configure agent version control.
  2. Continue with Upgrade an agent from the Computers page or Upgrade the agent by running the installer manually.

Upgrade multiple agents at once

  1. In the Workload Security console, go to Administration > Updates > Software.
  2. In the main pane, see Computers for any computers running agents for which upgrades are available.
  3. Click Upgrade Agent / Appliance Software to upgrade all out-of-date computers. What is considered out-of-date is determined by version control rules you have set up. For details, see Configure agent version control.

Upgrade the agent from the Computers page

  1. In the Workload Security console, go to Computers, and then do one of the following:

    • Right-click the computers that you want to upgrade and select Actions > Upgrade Agent Software.
    • Select the computers that you want to upgrade, click Actions at the top and select Upgrade Agent Software.
    • Double-click the computer that you want to upgrade and click Upgrade Agent on the Computer dialog.

    You must upgrade your relays before your agents to prevent failures (see Upgrade a relay). To identify a relay, look for the relay icon Relay icon.

  2. In the dialog that appears, select Agent Version. You should select the default Use the latest version for platform (X.Y.Z.NNNN).

  3. Click Next.

Upgrade the agent on activation

If the agent is installed on Linux or Windows, you can choose to automatically upgrade the agent to the newest software version compatible with Workload Security when the agent is activated or reactivated. For details, see Automatically upgrade agents on activation.

Upgrade the agent from a Scheduled Task

You can create a Scheduled Task to upgrade a group of agents on a set schedule. For details, see Scheduled Agent Upgrade Task.

If you set Agent Version Control to a specific version on a certain platform, then the Scheduled Agent Upgrade Task does not upgrade the agent on that platform.

Upgrade the agent manually

Sometimes you may not be able to upgrade the agent software from the Workload Security console. Reasons may include:

  • There are connectivity restrictions between Workload Security and agent computers.
  • Your agent software is too old, and Workload Security doesn't support upgrading it anymore.
  • You prefer to deploy upgrades using a third-party system.

If any of these scenarios describes your situation, you can upgrade the agent by running the installer manually. The method varies by operating system:

Upgrade the agent on Windows

  1. Disable agent self-protection to allow the installer to make modifications to the agent. To disable self-protection: a. In the Workload Security console, go to Computer editor > Settings > General. b. In Agent Self Protection, deselect Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent or enter a password for a local override.
  2. Export the new agent ZIP from Workload Security. See Export the agent installer for instructions. If multiple new agents are available for your platform, choose the latest one.
  3. Copy the ZIP to the agent computer and extract it.
  4. Double-click the MSI file in the root of the ZIP file. The installer detects the previous agent and performs the upgrade.

Upgrade the agent on Linux

  1. Export the new agent ZIP from Workload Security. See Export the agent installer for instructions. If multiple new agents are available for your platform, choose the latest one.
  2. Copy the ZIP to the agent computer and extract it.
  3. If the computer uses the rpm package manager (Red Hat, CentOS, Amazon Linux, Cloud Linux, SUSE), enter the following command:

    rpm -U <new agent installer rpm>

    The -U argument instructs the installer to perform an upgrade.

  4. If the computer uses the dpkg package manager (Debian or Ubuntu), enter the following command:

    dpkg -i <new agent installer dpkg>

Upgrade the agent on Solaris

  1. Export the new agent ZIP from Workload Security. See Export the agent installer for instructions. If multiple new agents are available for your platform, choose the latest one.
  2. Copy the ZIP to the agent computer and extract it.
  3. Run the installer:

    • Solaris 11, one zone (run in the global zone):

      • x86:

        pkg update -g file://mnt/Agent-Solaris_5.11-9.x.x-xxxx.x86_64/Agent-Core-Solaris_5.11-9.x.x-xxxx.x86_64.p5p pkg:/security/ds-agent

      • SPARC:

        pkg update -g file:///mnt/Agent-Solaris_5.11-9.x.x-xxxx.x86_64/Agent-Solaris_5.11-9.x.x-xxxx.sparc.p5p pkg:/security/ds-agent

    • Solaris 11, multiple zones (run in the global zone):

      mkdir <path>

      pkgrepo create <path>

      pkgrecv -s file://<dsa core p5p file location> -d <path> '\*'

      pkg set-publisher -g <path> trendmicro

      pkg update pkg://trendmicro/security/ds-agent

      pkg unset-publisher trendmicro

      rm -rf <path>

    • Solaris 10:

      1. Create an installation configuration file named ds_adm.file with the content listed below, and then save it in the root directory.

        mail=

        instance=overwrite

        partial=nocheck

        runlevel=quit

        idepend=nocheck

        rdepend=quit

        space=quit

        setuid=nocheck

        conflict=quit

        action=nocheck

        proxy=

        basedir=default\

      2. Next, run this command to install the package:

        pkgadd -G -v -a /root/ds_adm.file -d Agent-Core-Solaris_5.10_U7-10.0.0-1783.x86_64.pkg

Upgrade the agent on AIX

  1. Export the new agent ZIP from Workload Security. See Export the agent installer for instructions. If multiple new agents are available for your platform, choose the latest one.
  2. Copy the ZIP to the agent computer and extract it. A BFF file becomes available.
  3. Copy the BFF file to a temporary folder such as /tmp on the AIX computer. For detailed instructions, see Install the agent manually.
  4. Upgrade the agent. Use these commands:

    /tmp> rm -f ./.toc

    /tmp> installp -a -d /tmp/<agent_BFF_file_name> ds_agent

    where <agent_BFF_file_name> is replaced with the name of the BFF installer file you extracted.

Upgrade best practices for agents

If you have critical workloads running on your agent servers, we recommend that you follow these best practices when upgrading:

  • Upgrade when the computers are less busy.
  • Test the upgrade procedure first in a staging environment before upgrading production servers.
  • When upgrading production servers, upgrade one server at a time for the first few servers. Allow a soak period in between each server upgrade.
  • After individually upgrading a number of production servers for a given OS version (and application role, on Solaris or AIX), upgrade the remaining servers in groups.
  • Also review the Best practices for upgrades.