Enable or disable agent self-protection

The agent self-protection feature is available for agents on Windows, Linux and macOS.

On Linux, the agent self-protection feature is disabled by default. You need to file a feature request case with Trend Micro Support to enable it.

Agent self-protection prevents local users from tampering with the agent. When enabled, if a user tries to tamper with the agent, a message such as "Removal or modification of this application is prohibited by its security settings" or "You don’t have permission to rename the item DSAService.app" will be displayed.

To update or uninstall an agent or relay, if you're a local user trying to create a diagnostic package for support from the command line (see Create a diagnostic package), you must temporarily disable agent self-protection.

Anti-Malware protection must be "On" to prevent users from stopping the agent, and from modifying agent-related files and Windows registry entries. It isn't required, however, to prevent uninstalling the agent.

You can configure agent self-protection using either the Workload Security console, or the command line on the agent's computer.

Configure self-protection through the Workload Security console

1. Open the Computer or Policy editor where you want to enable agent self-protection.

2. Click Settings > General.

3. In the Agent Self-Protection section, for Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent, select Yes.

4. For Local override requires password, select Yes and type an authentication password.
   The authentication password is highly recommended because it prevents unauthorized use of the dsa_control command. After specifying the password here, it must be entered with the dsa_control command using the -p or --passwd= option whenever a command is run on the agent.

5. Click Save.

6. To disable the setting, select No. Click Save.

Configure self-protection using the command line

You can enable and disable self-protection using the command line. The command line has one limitation: you cannot specify an authentication password. You'll need to use the Workload Security console for that. See Configure self-protection through the Workload Security console for details.

For agents on Windows:

1. Log in to the Windows computer which has the agent installed.

2. Open the Command Prompt (cmd.exe) as Administrator.

3. Change the current directory to the agent installation folder. (The default install folder is shown below.)
   cd C:\Program Files\Trend Micro\Deep Security Agent

4. Enter one of the following commands:

   • To enable agent self-protection, enter:
     dsa_control --selfprotect=1

   • To disable agent self-protection, enter:
     dsa_control --selfprotect=0 -p <password>

where -p <password> is the authentication password, if one was specified previously in Workload Security. For details on this password, see Configure self-protection through the Workload Security console.

For agents on Linux:

1. Log in to the Linux computer which has the agent installed.

2. Open the Command Prompt as Administrator.

3. Change the current directory to the agent installation folder. (The default install folder is shown below.)
   cd /opt/ds_agent

4. Enter one of the following commands:

   • To enable agent self-protection, enter:
     dsa_control --selfprotect=1

   • To disable agent self-protection, enter:
     dsa_control --selfprotect=0 -p <password>

where -p <password> is the authentication password, if one was specified previously in Workload Security. For details on this password, see Configure self-protection through the Workload Security console.

For agents on macOS:

1. Log in to the macOS computer which has the agent installed.

2. Open the Terminal, switch to root, and enter the following command: sudo su

3. Change the current directory to the agent installation folder, for example: cd /Library/Application Support/com.trendmicro.DSAgent

4. Enter one of the following commands:

   • To enable agent self-protection, enter:
     dsa_control -s 1

   • To disable agent self-protection, enter:
     dsa_control -s 0 -p <password>

where -p <password> is the authentication password, if one was specified previously in Workload Security. For details on this password, see Configure self-protection through the Workload Security console.

Known issues for Linux

The following are known issues:

• The agent service cannot be stopped when system shutdowns or reboots. The agent service may not work properly after reboot.

• The status of the agent service may not be accurate. If you try to stop the agent service, it returns the result "successful". However, the agent service could still be running.

• If another running service has the same process name as the agent, then that other process will be added to the self-protection list.

• The agent service cannot be killed if OOM (Out-Of-Memory) happens.

• If you have enabled secure boot and self-protection is not working, please check your machine's kernel version. If the kernel version is 5.4 or less, please upgrade to a kernel version that is greater than 5.4.

Troubleshooting the Linux agent

To recover the agent self-protection service:

1. Stop the agent self-protection.

2. Restart the agent service.
   Agent self-protection will restart after the agent service restarts.