Enable or disable agent self-protection
Agent self-protection prevents local users from tampering with the agent. When enabled, if a user tries to tamper with the agent, a message such as "Removal or modification of this application is prohibited by its security settings" will be displayed.
To update or uninstall Deep Security Agent or Relay, or to create a diagnostic package for support (see Create a diagnostic package), you must temporarily disable agent self-protection.
You can configure agent self-protection using either the Workload Security console, or the command line on the agent's computer.
- Open the Computer or Policy editor where you want to enable agent self-protection.
- Click Settings > General.
- In the Agent Self-Protection section, for Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent, select Yes.
- For Local override requires password, select Yes and type an authentication password. The authentication password is highly recommended because it prevents unauthorized use of the dsa_control command. After specifying the password here, it must be entered with the dsa_control command using the -p or --passwd= option whenever a command is run on the agent.
- Click Save.
- To disable the setting, select No. Click Save.
Configure self-protection using the command line
You can enable and disable self-protection using the command line. The command line has one limitation: you cannot specify an authentication password. You'll need to use the Workload Security console for that. See Configure self-protection through the Workload Security console for details.
- Log in to the Windows agent locally.
- Open the Command Prompt (cmd.exe) as Administrator.
Change the current directory to the Deep Security Agent installation folder. (The default install folder is shown below.)
cd C:\Program Files\Trend Micro\Deep Security Agent
Enter one of the following commands:
To enable agent self-protection, enter:
To disable agent self-protection, enter:
dsa_control --selfprotect=0 -p <password>
where -p <password> is the authentication password, if one was specified previously in Workload Security. For details on this password, see Configure self-protection through the Workload Security console.