Table of contents

Enable or disable agent self-protection

The agent self-protection feature is available for agents on Windows, Linux, and macOS.

Note that on Linux, agent self-protection is disabled by default. To enable it, you need to file a case with Trend Micro Support.

Agent self-protection prevents local users from tampering with the agent. When enabled, if a user tries to tamper with the agent, a message such as "Removal or modification of this application is prohibited by its security settings" or "You don’t have permission to rename the item DSAService.app" is displayed.

To update or uninstall an agent or relay, if you are a local user trying to create a diagnostic package for support from the command line (see Create a diagnostic package), you must temporarily disable agent self-protection.

Anti-Malware protection must be enabled to prevent users from stopping the agent, as well as from modifying agent-related files and Windows registry entries. However, it is not required to prevent uninstalling the agent.

You can configure agent self-protection using either the Workload Security console or the command line on the agent's computer.

Configure self-protection through the Workload Security console

  1. Open the Computer or Policy editor where you want to enable agent self-protection.

  2. Click Settings > General.

  3. In the Agent Self-Protection section, for Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent, select Yes.

  4. For Local override requires password, select Yes and type an authentication password.
    The authentication password is highly recommended because it prevents unauthorized use of the dsa_control command. After specifying the password here, it must be entered with the dsa_control command using the -p or --passwd= option whenever a command is run on the agent.

  5. Click Save.

  6. To disable the setting, select No.

  7. Click Save.

Configure self-protection using the command line

You can enable and disable self-protection using the command line. The command line has one limitation: you cannot specify an authentication password. For that, you need to use the Workload Security console. See Configure self-protection through the Workload Security console for details.

For agents on Windows:

  1. Log in to the Windows computer which has the agent installed.

  2. Open the Command Prompt (cmd.exe) as Administrator.

  3. Change the current directory to the agent installation folder. The following shows the default install folder:
    cd C:\Program Files\Trend Micro\Deep Security Agent

  4. Enter one of the following commands:

    • To enable agent self-protection, enter:
      dsa_control --selfprotect=1

    • To disable agent self-protection, enter:
      dsa_control --selfprotect=0 -p <password>, where -p <password> is the authentication password, if one was specified previously in Workload Security. For details, see Configure self-protection through the Workload Security console.

For agents on Linux:

  1. Log in to the Linux computer which has the agent installed.

  2. Open the Command Prompt as Administrator.

  3. Change the current directory to the agent installation folder. The following shows the default install folder:
    cd /opt/ds_agent

  4. Enter one of the following commands:

    • To enable agent self-protection, enter:
      dsa_control --selfprotect=1

    • To disable agent self-protection, enter:
      dsa_control --selfprotect=0 -p <password>, where -p <password> is the authentication password, if one was specified previously in Workload Security. For details, see Configure self-protection through the Workload Security console.

For agents on macOS:

  1. Log in to the macOS computer which has the agent installed.

  2. Open the Terminal, switch to root, and enter the following command: sudo su

  3. Change the current directory to the agent installation folder, for example: cd "/Library/Application Support/com.trendmicro.DSAgent"

  4. Enter one of the following commands:

    • To enable agent self-protection, enter:
      dsa_control -s 1

    • To disable agent self-protection, enter:
      dsa_control -s 0 -p <password>, where -p <password> is the authentication password, if one was specified previously in Workload Security. For details, see Configure self-protection through the Workload Security console.

Known issues for Linux

The following are known issues:

  • The agent service cannot be stopped when system shutdowns or reboots. The agent service may not work properly after reboot.

  • The status of the agent service may not be accurate. If you try to stop the agent service, it returns the result as successful. However, the agent service could still be running.

  • If another running service has the same process name as the agent, then that other process will be added to the self-protection list.

  • The agent service cannot be killed if Out-Of-Memory (OOM) happens.

  • If you have enabled secure boot and self-protection is not working, check your machine's kernel version. If the kernel version is 5.4 or earlier, upgrade to a kernel version later than 5.4.

Troubleshooting the Linux agent

You can recover the agent self-protection service as follows:

  1. Stop the agent self-protection.
  2. Restart the agent service.

Agent self-protection will restart after the agent service restarts.