Configure agents that have no internet access
If your agents or relays do not have access to the internet (air-gapped agents), then they cannot access some of the security services provided by the Trend Micro Smart Protection Network. These security services are necessary for the full and successful operation of the Deep Security Anti-Malware and Web Reputation modules.
The Trend Micro Smart Protection Network security services include the following:
Service name | Required for these features |
Smart Scan Service | Smart Scan |
Web Reputation Service | Web Reputation |
Global Census Service | behavior monitoring, predictive machine learning |
Good File Reputation Service | behavior monitoring, predictive machine learning, process memory scans |
Predictive Machine Learning Service | predictive machine learning |
In addition to these services, the agent and relay-enabled agent need access to the Trend Micro Update Server (also called Active Update), which is not part of the Smart Protection Network, but is a component that is hosted by Trend Micro and accessed over the internet.
If any of your agents or relay-enabled agents cannot reach these services, you have several solutions.
Solutions
- Solution 1: Use a proxy
- Solution 2: Install a Smart Protection Server locally
- Solution 3: Get updates in an isolated network
- Solution 4: Disable features that use Trend Micro security services
Use a proxy
If your agents or relay-enabled agents cannot connect to the internet, you can install a proxy that can. Your Deep Security Agents and relays connect to the proxy, and the proxy then connects outbound to the Trend Micro security services in the Smart Protection Network.
With a proxy, each Smart Scan or Web Reputation request goes out over the internet to the Smart Protection Network. Consider instead using a Smart Protection Server inside your LAN to keep these requests within your network and reduce extranet bandwidth usage.
To use a proxy, see Configure proxies.
Install a Smart Protection Server locally
If your agents and relay-enabled agents cannot connect to the internet, you can install a Smart Protection Server in your local area network (LAN) to which your agents and relay-enabled agents can connect. The local Smart Protection Server periodically connects outbound over the internet to the Smart Protection Network to retrieve the latest Smart Scan Anti-Malware patterns and Web Reputation information. This information is cached on the Smart Protection Server and queried by your agents and relay-enabled agents. The Smart Protection Server does not push updates to the agents or relay-enabled agents.
If you decide to use this solution, keep in mind the following:
- The functionality is limited. Only the Smart Scan and Web Reputation modules are supported with a local Smart Protection Server.
- Use the proxy solution if you need Behavior Monitoring, Predictive Machine Learning, and Process Memory scanning. See Use a proxy for details. If you decide not to use these features, you must disable them to prevent a query failure and to improve performance. For instructions, see Disable features that use Trend Micro security services
To deploy a Smart Protection Server, install it manually. See the Smart Protection Server documentation for details.
This scenario applies when only an agent and relay-enabled agent are air-gapped, but Deep Security Manager has internet access or proxy access, as described in Port numbers, URLs, and IP addresses. If Deep Security Manager is also air-gapped, you need to use a proxy to receive security updates from the Trend Micro Active Update Server. Alternatively, use Solution 3 Get updates in an isolated network.
Get updates in an isolated network
If your Deep Security Manager is in an isolated network without connection to the internet and your agents or relay-enabled agents cannot connect to the internet, you can install an additional stand-alone Deep Security Manager with database and a relay-enabled agent in your demilitarized zone (DMZ) or another area where internet access is available.
Once all the components are installed, you can configure the relay-enabled agent in the DMZ to automatically obtain the latest malware scan updates from the Update Server on the internet. These updates must be extracted to a .zip
file, and then manually copied to your air-gapped relay.
If you decide to use this solution, keep in mind the following:
- The
.zip
file contains traditional (large) malware patterns, which give you basic Anti-Malware capabilities. - The
.zip
file also contains Deep Security Rule Updates, which are used for Intrusion Prevention, Integrity Monitoring, and Log Inspection. You can also choose to obtain those updates separately. See Get rules updates in an isolated network. - The following advanced Anti-Malware features are not available: Smart Scan, behavior monitoring, predictive machine learning, process memory scans, and Web Reputation. These features require access to Trend Micro security services.
- You should disable advanced Anti-Malware features, since they cannot be used.
- You should have a plan in place to periodically update the
.zip
file on your air-gapped relay to ensure you always have the latest malware patterns.
To deploy this solution, follow these steps:
- Install Deep Security Manager and its associated database in your DMZ. These internet-facing components can be referred to as DMZ manager and DMZ database.
- Install an agent in your DMZ and configure it as a relay. This agent can be referred to the DMZ relay. For information on setting up relays, see Deploy additional relays.
The following is now installed:- DMZ manager
- DMZ database
- DMZ relay
- air-gapped manager
- air-gapped database
- air-gapped relay
- multiple air-gapped agents
- On the DMZ relay, create a
.zip
file containing the latest malware patterns by running this command: - Copy the
.zip
file to the air-gapped relay. Place the file in the relay's installation directory:- On Windows, the default directory is C:\Program Files\Trend Micro\Deep Security Agent.
- On Linux, the default directory is /opt/ds_agent.
Do not rename the .zip file.
- On the air-gapped manager, initiate a security update download:
- Click Computers at the top.
- In the list of computers, find your air-gapped relay where you copied the
.zip
file, right-click it and select Download Security Update.
The air-gapped relay checks its configured update source (typically the Update Server on the internet). Since it cannot connect to this server, it checks the.zip
file in its installation directory. When it finds the.zip
file, it extracts it and imports the updates. The updates are then disseminated to the air-gapped agents that are configured to connect to the relay. - Delete the
.zip
file after the updates are imported to the air-gapped relay.
- Configure the air-gapped relay to connect to itself instead of the Update Server (to prevent connection error alerts):
- Log in to the air-gapped manager.
- Click Administration on the top.
- On the left, click System Settings.
- In the main pane, select the Updates tab.
- Under Primary Security Update Source, select Other update source and enter https://localhost:[port] where [port] is the configured port number for security updates, by default 4122.
- Click OK.
The air-gapped relay no longer tries to connect to the Update Server on the internet.
- Optionally, to improve performance, Disable features that use Trend Micro security services.
- On a periodic basis, download the latest updates to your DMZ relay, zip them, copy them to your air-gapped relay, and initiate a security update download on the relay.
dsa_control -b
The command line output shows the name and location of the .zip
file that was generated.
You have now deployed a Deep Security Manager, associated database, and relay in your DMZ from which to obtain malware scan updates.
To upgrade this solution, perform the upgrade in the following order:
- DMZ manager (and its database, if the database software also needs to be upgraded)
- DMZ relay
- air-gapped manager (and its database, if the database software also needs to be upgraded)
- air-gapped relay
- air-gapped agents
If you do not upgrade relays first, security component upgrades and software upgrades may fail.
For details on upgrading, see
Get rules updates in an isolated network
The .zip
file you created contains the Deep Security Rule Updates that are used for Intrusion Prevention, Integrity Monitoring, and Log Inspection. However, if you would like to get those updates separately:
- On the DMZ manager, go to Administration > Updates > Security > Rules.
- Click a rule update
.dsru
file and click Export. The file is downloaded locally. - Repeat the export for each
.dsru
file that you want to apply to the air-gapped manager. - Copy the
.dsru
files to the air-gapped manager. - On the air-gapped manager, go to Administration > Updates > Security > Rules.
- Click Import, select the
.dsru
file, and click Next. - The manager validates the file and displays a summary of the rules it contains. Click Next.
A message displays, saying that the rule update was imported successfully.
- Click Close.
- Repeat the import for each
.dsru
file that you want to apply to the air-gapped manager.
Disable features that use Trend Micro security services
You can disable features that use Trend Micro security services. Doing so improves performance because the air-gapped agent no longer tries (and fails) to query the services.
Without Trend Micro security services, your malware detection is downgraded significantly, ransomware is not detected at all, and process memory scans are also affected. It is therefore strongly recommended that you use one of the other solutions to allow access to Trend Micro security services. If this is impossible, only then should you disable features to realize performance gains.
- To disable Smart Scans:
- Open the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). .
- On the left, click Anti-Malware.
- In the main pane, click Smart Protection.
- Under Smart Scan, deselect Inherited (if it is selected), and then select Off.
- Click Save.
- To disable Web Reputation:
- Open the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details)..
- On the left, click Web Reputation.
- In the main pane, make sure the General tab is selected.
- From the Configuration list, select Off.
- Click Save.
- To disable Smart Feedback:
- In Deep Security Manager, click Administration at the top.
- Click System Settings on the left.
- In the main pane, select the Smart Feedback tab.
- Deselect Enable Trend Micro Smart Feedback (recommended).
- Click Save.
- To disable Process Memory scans:
- In Deep Security Manager, click Policies at the top.
- On the left, expand Common Objects > Other, and then click Malware Scan Configurations.
- Double-click a malware scan configuration with a SCAN TYPE of Real-Time.
- On the General tab, under Process Memory Scan, deselect Scan process memory for malware.
- Click OK.
- To disable Predictive Machine Learning:
- Make sure you still have a real-time malware scan configuration open.
- On the General tab, under Predictive Machine Learning, deselect Enable Predictive Machine Learning.
- Click OK.
- To disable Behavior Monitoring:
- Make sure you still have a real-time malware scan configuration open.
- On the General tab, under Behavior Monitoring, deselect Enable Behavior Monitoring.
- Click OK.
To improve performance, you can disable the census and grid (Good File Reputation) queries on Deep Security Manager. If you leave them enabled, a significant amount of unnecessary background processing takes place.
- To disable the census query using the command line, execute the following:
dsm_c -action changesetting -name settings.configuration.enableCensusQuery -value false
- To disable the census query from the UI:
- Go to Computer > Settings > General > Network Setting for Census, Good File Reputation, and Predictive Machine Learning Services.
- For Enable Census query, select No.
- Disable the grid query using the command line, execute the following:
dsm_c -action changesetting -name settings.configuration.enableGridQuery -value false
- To disable the grid query from the UI:
- Go to Computer > Settings > General > Network Setting for Census, Good File Reputation, and Predictive Machine Learning Services.
- For Enable Good file reputation query, select No.