Enable or disable agent self-protection

The agent self-protection feature is only available for agents on Windows. It is not available on Linux.

To update or uninstall Deep Security Agent or Relay, or to create a diagnostic package for support (see Create a diagnostic package), you must temporarily disable agent self-protection.

Agent self-protection prevents local users from tampering with the agent. When enabled, if a user tries to tamper with the agent, the GUI will display a message such as "Removal or modification of this application is prohibited by its security settings".

Anti-malware protection must be "On" to prevent users from stopping the agent, and from modifying agent-related files and Windows registry entries. It isn't required, however, to prevent uninstalling the agent.

You can configure agent self-protection using either the GUI for Deep Security Manager, or the command line on the agent's computer.

Via Deep Security Manager

  1. Open the Computer or Policy editorClosed where you want to enable agent self-protection.
  2. Click Settings > General.
  3. In the Agent Self-Protection section, for Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent, select Yes.
  4. To password-protect agent self protection, for Local override requires password, select Yes and type the password.
  5. Click Save.
  6. To disable the setting, select No. Click Save.

Via command line

  1. Log in to the Windows computer locally.
  2. Open the Command Prompt (cmd.exe) as Administrator.
  3. Change the current directory to the Deep Security Agent installation folder. (The default install folder is shown below.)

    cd C:\Program Files\Trend Micro\Deep Security\Agent

  4. Enter this command:

    dsa_control --selfprotect=1 --passwd=<password>

    where <password> is a password that will be required in order to override this setting. (See Command-line basics.) The password is optional, but strongly recommended.

    Store this password in a safe location. If you lose or forget the password you will have to contact your support provider for assistance in overriding this protection.
  5. To disable the setting, enter this command:

    dsa_control –s=0 –p "<password>"