Trend Micro Deep Security 9 on its way

VMworld 2012 San Francisco / Barcelona



During VMworld 2012 in San Fransisco Trend Micro announced the next version of their hypervisor based security product. They announced a lot of new and cool features and improvements which are probably gonna make into the final product.

I just got a demo at the Trend Micro booth here at VMworld in Barcelona and it look very promising.

(Please remember that the product is not released yet. Things may change before it is generally available.)

vSphere and Cloud support Deep Security 9 supports vSphere 5.1 and vCloud Networking and Security 5.1. Next to the support for vSphere 5.1 there is also support and integration for vCloud Director and Amazon cloud services.

De-cluttering of the interface

I’m not sure if you would classify this as a new feature, but in my opinion it should be high on the list. Trend Micro redesigned the interface a bit. Now the system configuration and tweaking no longer is a two day trip through al configuration tabs. I didn’t count them, but in the demo today I saw less tabs.



Deep Security 9 has the ability to separate the environments for the different tenants. The configuration can be placed in different databases. Not even the global settings and lists from Deep Security 8 are shared between the tenants. Also the licenses are per tenant. If one tenant only has licensing for Anti Malware and another for the full compliancy pack it won’t be a problem.

For the service provider there’s also good news. DS9 is getting a dashboard that contains the metrics for the datacenter across the tenants.


Security Profile inheritance

One of the annoyances I experienced with DS8 was that I had to create security profiles for each type of system I had. There was no way to create a scenario like: A SQL Server is a Windows 2008R2 server, Windows 2008R2 server is a Windows Server, is a Windows system.

In Deep Security 9 it is possible to use inheritance to create a SQL Server security profile that inherits from a Windows 2008R2 profile, that inherits from a Windows server profile, that inherits from a Windows system profile.


Performance improvements

In the previous version load balancing the Deep Security Manager was not optimal. Often one of the nodes did most of the work while the others were doing nothing. With Deep Security 9 the load can be more evenly distributed across the managers (If I remember correctly in combination with an external load balancer).

File scanning is also improved. In DS8 files were scanned each time they were accessed, regardless of the fact that the files were scanned on another VM. If I understood the Trend Micro people correctly the scanning is now based on a hash. When a file is accessed in VM1 a hash is calculated and the file is scanned. If the same file is accessed it won’t be scanned again if the hash is the same. Preliminary figures indicate that it could be a tenfold performance boost. Deep Security 9 now also uses ESXi level caching and deduplication.

Hypervisor protection

Before version 9 you could only protect virtual machines and servers with the agent. There was no way to protect the hypervisors integrity. That posed a problem, since access to the hypervisor makes it a lot easier to hack the VMs that are running on top of it. With DS9 you can protect the hypervisor by using Intel TPM/TXT on the host.

Other improvements

In Deep Security 8 recommendation scans were only possible if you had the agent installed in the virtual machine. That meant that often servers were protected by agent, because you had to install it for the recommendation scan. For virtual desktop deployments it meant that you had to create a VM on which you did the recommendation scan before you could apply it on a security profile. In DS9 Recommendation scans can now be performed on agentless VMs as well. The only DS9 feature that still needs an agent is Log Inspection.


The expected release date is Q4 2012.