Enable or disable agent self-protection on Windows
Agent self-protection prevents local users from tampering with the agent. When enabled, if a user tries to tamper with the agent, a message such as "Removal or modification of this application is prohibited by its security settings" is displayed.
To update or uninstall Deep Security Agent or relay, or if you are a local user trying to create a diagnostic package for support from the command line, as described in Create a diagnostic package and logs, you must temporarily disable agent self-protection.
Anti-Malware protection must be enabled to prevent users from stopping the agent, as well as from modifying agent-related files and Windows registry entries. However, it is not required to prevent uninstalling the agent.
You can configure agent self-protection using either Deep Security Manager or the command line on the agent's computer.
Configure self-protection through Deep Security Manager
- Open the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). where you want to enable agent self-protection.
- Select Settings > General.
- In the Agent Self-Protection section, select Yes to prevent local end-users from uninstalling, stopping, or otherwise modifying the agent.
- For Local override requires password, select Yes and type an authentication password. The authentication password is highly recommended because it prevents an unauthorized use of the dsa_control command. After specifying the password, it must be entered with the dsa_control command using the -p or --passwd= option whenever a command is run on the agent.
- Click Save.
- To disable the setting, select No.
- Click Save.
Configure agent self-protection using the command line
You can enable and disable self-protection using the command line, with one limitation: you cannot specify an authentication password. You need to use Deep Security Manager for that. See Configure self-protection through Deep Security Manager for details.
- Log in to the Windows agent locally.
- Open the command prompt (cmd.exe) as an Administrator.
-
Change the current directory to the Deep Security Agent installation folder. The following shows the default installation folder:
cd C:\Program Files\Trend Micro\Deep Security Agent
-
Enter one of the following commands:
To enable agent self-protection, enter:
dsa_control --selfprotect=1
To disable agent self-protection, enter:
dsa_control --selfprotect=0 -p <password>, where -p <password> is the authentication password, if one was previously specified in Deep Security Manager. For details, see Configure self-protection through Deep Security Manager.