Agent self-protection prevents local users from tampering with the agent. When enabled,
if a user tries to tamper with the agent, a message such as "Removal or modification
of this application is prohibited by its security settings" or "You don’t have permission
to rename the item DSAService.app" will be displayed.
To update or uninstall an agent or relay, if you're a local user trying to create
a diagnostic package for support from the command line (see Create a diagnostic package), you must temporarily disable agent self-protection.
NoteAnti-Malware protection must be "On" to prevent users from stopping the agent, and
from modifying agent-related files and Windows registry entries. It isn't required,
however, to prevent uninstalling the agent.
|
You can configure agent self-protection using either the Server & Workload Protection console, or the command line on the
agent's computer.
Configure self-protection through the Server & Workload Protection console
Procedure
- Open the Computer or Policy editor where you want to enable agent self-protection.
- Click .
- In the Agent Self-Protection section, for Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent, select Yes.
- For Local override requires password, select Yes and type an authentication password.The authentication password is highly recommended because it prevents unauthorized use of the dsa_control command. After specifying the password here, it must be entered with the dsa_control command using the
-p
or--passwd=
option whenever a command is run on the agent. - Click Save.
- To disable the setting, select No. Click Save.
Configure self-protection using the command line
You can enable and disable self-protection using the command line. The command line
has one
limitation: you cannot specify an authentication password. You'll need to use
the Server & Workload Protection console for that. See Configure self-protection through
the Server & Workload Protection console for
details.
For agents on Windows
Procedure
- Log in to the Windows computer which has the agent installed.
- Open the Command Prompt (
cmd.exe
) as Administrator. - Change the current directory to the agent installation folder. (The default
install folder is shown below.)
cd C:\Program Files\Trend Micro\Deep Security Agent
- Enter one of the following commands:
-
To enable agent self-protection, enter:
dsa_control --selfprotect=1
-
To disable agent self-protection, enter:
dsa_control --selfprotect=0 -p <password>
where-p <password>
is the authentication password, if one was specified previously in Server & Workload Protection. For details on this password, see Configure self-protection through the Server & Workload Protection console. -
For agents on Linux
Procedure
- Log in to the Linux computer which has the agent installed.
- Open the Command Prompt as Administrator.
- Change the current directory to the agent installation folder. (The default
install folder is shown below.)
cd /opt/ds_agent
- Enter one of the following commands:
-
To enable agent self-protection, enter:
dsa_control --selfprotect=1
-
To disable agent self-protection, enter:
dsa_control --selfprotect=0 -p <password>
where-p <password>
is the authentication password, if one was specified previously in Server & Workload Protection. For details on this password, see Configure self-protection through the Server & Workload Protection console. -
For agents on macOS
Procedure
- Log in to the macOS computer which has the agent installed.
- Open the Terminal, switch to root, and enter the following command:
sudo su
- Change the current directory to the agent installation folder, for example:
cd /Library/Application Support/com.trendmicro.DSAgent
- Enter one of the following commands:
-
To enable agent self-protection, enter:
dsa_control -s 1
-
To disable agent self-protection, enter:
dsa_control -s 0 -p <password>
where-p <password>
is the authentication password, if one was specified previously in Server & Workload Protection. For details on this password, see Configure self-protection through the Server & Workload Protection console. -
Known issues for Linux
The following are known issues:
-
The agent service might not stop when the system shutdowns or reboots. The agent service might not work properly after reboot.
-
The status of the agent service may not be accurate. Attempting to stop the service returns a "successful" result, but the service might still be running.
-
If another running service has the same process name as the agent, then that other process will be added to the self-protection list.
-
The agent service cannot be killed if OOM (Out-Of-Memory) happens.
-
If you have enabled secure boot and self-protection is not working, please check your machine's kernel version. If the kernel version is 5.4 or less, please upgrade to a kernel version that is greater than 5.4.
Troubleshooting the Linux agent
To recover the agent self-protection service:
Procedure
- Stop the agent self-protection.
- Restart the agent service. Agent self-protection will restart after the agent service restarts.