The Integrity Monitoring module is specifically designed to detect and alert when files, directories, or system configurations on a protected computer are changed, modified, or tampered with. This is exactly the functionality described in the question.

From the official documentation:

“Integrity Monitoring detects and reports changes to files, directories, and system settings in real time, providing the capability to alert administrators about unauthorized modifications.”

Option A is correct.

Option B is incorrect; there is no File Inspection Module.

Option C is incorrect because Deep Security does provide this capability.

Option D is incorrect; Intrusion Prevention detects exploits, not file changes.

Deep Security Relays are specialized agents that distribute security updates (such as anti-malware patterns, rules, and engine updates) to other agents within the network. Regular Deep Security Agents connect to Relays to receive these updates, reducing the load on the Deep Security Manager and external bandwidth usage.

From the official documentation:

"Relays are agents that download security updates from the Trend Micro Update Server or the Deep Security Manager and then distribute these updates to other agents on the network."

Option D is correct: Agents communicate with relays to obtain security updates.

Option A is incorrect: Only 64-bit agents can be promoted to relays in recent versions.

Option B is incorrect: Relays retain all protection module functions after being promoted.

Option C is partially correct but not as precise as D; relays distribute, but do not "process" requests in the sense of approving/handling agent-side logic.

Recommendation scans in Deep Security are used to recommend rules for:

Intrusion Prevention

Integrity Monitoring

Log Inspection

Firewall and Application Control do not use recommendation scans for their rule or inventory management.

When Maintenance Mode is enabled for Application Control, any new or changed software is automatically added to the list of allowed software. This feature is intended to support software installation, patching, or upgrades without manual intervention.

From the official documentation:

"When a computer is in Maintenance Mode, Application Control allows all new software to run and automatically adds it to the inventory of allowed software."

When the Deep Security Agent’s network driver intercepts traffic, its primary network operations include stateful inspection (context of traffic and connection), verification of packet integrity for suitability, and detection of certain types of attacks, including reconnaissance scans.

However, anti-malware scan configuration and exclusion lists pertain to file system operations (not network packet inspection). Packets are not compared against anti-malware exclusion lists at the network driver level.

From the official documentation:

“The network driver intercepts packets and examines them for threats. This includes analyzing packets in context, verifying integrity, and checking for reconnaissance or suspicious activity. Anti-malware exclusions are applied at the file system level, not at the network packet analysis stage.”

Option B is correct (not performed at this network layer).

Options A, C, and D all describe valid operations at the network driver level.

In agentless (VMware-integrated) implementations, scan caching allows the Deep Security Virtual Appliance to remember which files have already been scanned on any VM on the same host. If the same file appears on another VM, it doesn't need to be scanned again, significantly improving performance and reducing resource usage.

Deep Security offers several ways to monitor tenant usage in a multi-tenant environment:

Chargeback reports in the Manager Web console provide detailed usage breakdowns per tenant.

The REST API enables automated, programmatic collection of usage data.

The Statistics tab within tenant properties displays real-time and historical usage information.

From the official documentation:

“Administrators can monitor usage with built-in Chargeback reports, by querying the Statistics tab in tenant properties, or by using the REST API for automated data collection and reporting.”