Enable or disable agent self-protection in Windows
Agent self-protection prevents local users from tampering with the agent. When enabled, if a user tries to tamper with the agent, a message such as "Removal or modification of this application is prohibited by its security settings" will be displayed.
To update or uninstall Deep Security Agent or Relay, or if you're a local user trying to create a diagnostic package for support from the command line Create a diagnostic package and logs, you must temporarily disable agent self-protection.
You can configure agent self-protection using either the Deep Security Manager, or the command line on the agent's computer.
Configure self-protection through Deep Security Manager
- Open the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). where you want to enable agent self-protection.
- Click Settings > General.
- In the Agent Self-Protection section, select Yes to prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent.
- For Local override requires password, select Yes and type an authentication password. The authentication password is highly recommended because it prevents unauthorized use of the dsa_control command. After specifying the password here, it must be entered with the dsa_control command using the -p or --passwd= option whenever a command is run on the agent.
- Click Save.
- To disable the setting, select No.
- Click Save.
Configure self-protection using the command line
You can enable and disable self-protection using the command line. The command line has one limitation: you cannot specify an authentication password. You'll need to use Deep Security Manager for that. See Configure self-protection through Deep Security Manager for details.
- Log in to the Windows agent locally.
- Open the Command Prompt (cmd.exe) as Administrator.
Change the current directory to the Deep Security Agent installation folder. (The default install folder is shown below.)
cd C:\Program Files\Trend Micro\Deep Security Agent
Enter one of the following commands:
To enable agent self-protection, enter:
To disable agent self-protection, enter:
dsa_control --selfprotect=0 -p <password>
where -p <password> is the authentication password, if one was specified previously in Deep Security Manager. For details on this password, see Configure self-protection through Deep Security Manager.