Table of contents
Topics on this page

Warning: Anti-Malware Engine has only Basic Functions

When the Anti-Malware engine is offline for Linux agents, Trend Micro still provides protection to your computers. The Anti-Malware engine provides partial functionality by automatically switching to the Linux kernel native hook.

Basic functions

Category Feature name Supported
Scan / Detection Document exploit protection
Predictive machine learning (1)
Behavior monitoring  
Spyware/Grayware
IntelliTrap
Scan compressed file
Smart scan
Connected threat defense
Inclusion / Exclusion Document exploit protection
Directories inclusion
File inclusion
Directories exclusion
File exclusion
File extension exclusion
Process image file exclusion (2)
Quarantine Quarantine file
Restore file
Container Container protection (3)

(1) Predictive machine learning: Even though this may occasionally work (if Trend Micro can get the process image path), it is not reliable and therefore not supported.

(2) Process image file exclusion: This is moved to user-mode match. This mode may have performance impact.

(3) Container protection: Trend Micro cannot protect runtime container workloads in this mode.

Reason IDs

In a case where partial functionality is in operation, to ensure that the Linux agent returns to full functionality, it is necessary to take other steps that depend on the reason ID. The reason ID is included in events forwarded to an external Syslog, SIEM server, or to Amazon SNS. It is also displayed in event description for Linux agent (either Anti-Malware Engine Offline or Anti-Malware Engine with Basic Functions).

  • Reason ID 7: No driver is available for the particular kernel version causes a driver offline error. To resolve this: Check if latest Kernel Support Package (KSP) is released for that particular kernel. File a case to request KSP support.
  • Reason ID 11: The Trend Micro public key--on the system when SecureBoot is enabled--is missing, so loading the driver failed, which caused a driver offline error. To resolve this: Install the machine owner key.
  • Reason ID 12: The Trend Micro public key--on the system when SecureBoot is enabled--is expired, so loading the driver failed, which caused a driver offline error. To resolve this: Install the machine owner key.
  • For all other reason IDs: Create a diagnostic package and contact support.
Reason ID Event reason Description
1 Unknown reason The malware scan failed for an unknown reason.
2 Incomplete Anti-Malware installation Incomplete installation of the Anti-Malware service has caused a driver offline error.
3 Failed process communication between DSA and AM service The process communication between the Deep Security Agent and Anti-Malware service failed and had caused a driver offline error.
4 Timeout of restart Windows Anti-Malware service (AMSP) restarted timeout (that is, the sign check process has hung).
5 Stopped Anti-Malware service The Anti-Malware service has stopped unexpectedly and has caused a driver offline error.
6 Failed sign check A Windows files (binaries/DLL) sign check failed unexpectedly.
7 Unavailable kernel version No driver is available for the particular kernel version and has caused a driver offline error.
8 Failed driver loading Load driver (tmhook/bmhook) into kernel has failed and has caused a driver offline error.
9 Failed driver unloading

Unloading a driver from kernel failed and has caused a driver offline error.

No such scenario is needed currently, therefore, Trend Micro never reports this code in DsspState on Linux platforms.

10 Failed driver device opening Opening a driver device file failed and has caused a driver offline error.
11 Missing machine owner key Trend Micro public key Missing machine owner key Trend Micro public key on the system when SecureBoot is enabled results in a driver load failed and this has caused a driver offline error.
12 Expired machine owner key Trend Micro public key  The machine owner key Trend Micro public key on the system is expired when SecureBoot is enabled results in a driver load failed and this has caused a driver offline error.
13 Signed with unauthorized public key The driver was signed with an unknown/unsupported public key.