Enable or disable agent self-protection

The agent self-protection feature is only available for agents on Windows and macOS. It is not available on Linux.

Agent self-protection prevents local users from tampering with the agent. When enabled, if a user tries to tamper with the agent, a message such as "Removal or modification of this application is prohibited by its security settings" or "You don’t have permission to rename the item DSAService.app" will be displayed.

To update or uninstall an agent or relay, if you're a local user trying to create a diagnostic package for support from the command line (see Create a diagnostic package), you must temporarily disable agent self-protection.

Anti-Malware protection must be "On" to prevent users from stopping the agent, and from modifying agent-related files and Windows registry entries. It isn't required, however, to prevent uninstalling the agent.

You can configure agent self-protection using either the Workload Security console, or the command line on the agent's computer.

Configure self-protection through the Workload Security console

1. Open the Computer or Policy editor where you want to enable agent self-protection.
2. Click Settings > General.
3. In the Agent Self-Protection section, for Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent, select Yes.
4. For Local override requires password, select Yes and type an authentication password. The authentication password is highly recommended because it prevents unauthorized use of the dsa_control command. After specifying the password here, it must be entered with the dsa_control command using the -p or --passwd= option whenever a command is run on the agent.
5. Click Save.
6. To disable the setting, select No. Click Save.

Configure self-protection using the command line

You can enable and disable self-protection using the command line. The command line has one limitation: you cannot specify an authentication password. You'll need to use the Workload Security console for that. See Configure self-protection through the Workload Security console for details.

For agents on Windows:

1. Log in to the Windows agent locally.
2. Open the Command Prompt (cmd.exe) as Administrator.
3. Change the current directory to the agent installation folder. (The default install folder is shown below.) cd C:\Program Files\Trend Micro\Deep Security Agent
4. Enter one of the following commands:

To enable agent self-protection, enter:

dsa_control --selfprotect=1

To disable agent self-protection, enter:

dsa_control --selfprotect=0 -p <password>

where -p <password> is the authentication password, if one was specified previously in Workload Security. For details on this password, see Configure self-protection through the Workload Security console.

For agents on macOS:

1. Log in to the computer which has the macOS agent installed.

2. Open the Terminal, switch to root, and enter the following command: sudo su

3. Change the current directory to the Deep Security Agent installation folder, for example: cd /Library/Application Support/com.trendmicro.DSAgent

4. Enter one of the following commands:

To enable agent self-protection, enter:

dsa_control -s 1

To disable agent self-protection, enter:

dsa_control -s 0 -p <password>

For the command above, replace with the authentication password if one was specified previously in Workload Security. For details on this password, see Configure self-protection through the Workload Security console.