Enable or disable agent self-protection

Deep Security Agent self-protection prevents local users from tampering with the agent. When enabled, if a local user tries to tamper with the agent, a message such as "Removal or modification of this application is prohibited by its security settings" is displayed.

The agent self-protection is supported on Windows and on Linux. The latter requires the Deep Security Agent version 20.0.0-5953 or later.

To update or uninstall Deep Security Agent or relay, or if you are a local user trying to create a diagnostic package for support from the command line, as described in Create a diagnostic package and logs, you must temporarily disable agent self-protection.

On Windows, Anti-Malware protection must be enabled to prevent local users from stopping the agent, as well as from modifying agent-related files and Windows registry entries. On Linux, at least one of the following must be enabled: Anti-Malware, Application Control, Integrity Monitoring with Real Time. Self-protection is not required to prevent uninstalling the agent.

Before stopping Deep Security Agent, its self-protection, which is, essentially, a safeguard against unauthorized modifications, must be disabled to avoid problems and ensure a smooth operation.

You can configure agent self-protection using either Deep Security Manager or the command line on the agent's computer.

Configure self-protection through Deep Security Manager

1. Open the Computer or Policy editor You can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). where you want to enable agent self-protection.
2. Select Settings > General.
3. In the Agent Self-Protection section, select Yes to prevent local users from uninstalling, stopping, or otherwise modifying the agent.
4. For Local override requires password, select Yes and type an authentication password. The authentication password is highly recommended because it prevents an unauthorized use of the dsa_control command. After specifying the password, it must be entered with the dsa_control command using the -p or --passwd= option whenever a command is executed on the agent. Note that the password cannot be longer than 32 characters; if this length is exceeded, the password is automatically truncated.
5. Click Save.
6. To disable self-protection, select No, and then click Save.

Configure self-protection using the command line

You can enable and disable self-protection using the command line, with one limitation: you cannot specify an authentication password. You need to use Deep Security Manager for that (see Configure self-protection through Deep Security Manager).

Use the command line on Windows

1. Log in to the Windows agent locally.
2. Open the command prompt (cmd.exe) as an Administrator.

3. Change the current directory to the Deep Security Agent installation folder. The following shows the default installation folder:

   cd C:\Program Files\Trend Micro\Deep Security Agent

4. Enter one of the following commands:

   To enable agent self-protection, enter:

   dsa_control --selfprotect=1

   To disable agent self-protection, enter:

   dsa_control --selfprotect=0 -p <password>, where -p <password> is the authentication password, if one was previously specified in Deep Security Manager. For details, see Configure self-protection through Deep Security Manager.

Use the command line on Linux

1. Open the command prompt as an Administrator.

2. Change the current directory to the Deep Security Agent installation folder. The following shows the default installation folder:

   cd /opt/ds_agent

3. Enter one of the following commands:

   To enable agent self-protection, enter:

   dsa_control --selfprotect=1

   To disable agent self-protection, enter:

   dsa_control --selfprotect=0 -p <password>, where -p <password> is the authentication password, if one was specified previously in Deep Security Manager. For details, see Configure self-protection through Deep Security Manager Note that the password cannot be longer than 32 characters; if this length is exceeded, the password is automatically truncated..

Limitations on Linux

• The agent service should not be stopped when the system is shutting down or rebooting. Stopping the service may prevent it from working properly after the reboot.

• The status of the agent service may be inconsistent. If you try to stop the agent service running the command stop, the result returned as successful, however the agent service still runs as normal.

• If there is a running process that has the same name as an agent process in the system, it is added to the self-protection list. The protected process is protected from tampering.

• The agent service cannot be killed when Out-Of-Memory (OOM) happens.

• Oracle 6 (32-bit) platform does not support self protection.

• If you have enabled secure boot and self-protection is not working, check your machine's kernel version. If the kernel version is 5.4 or earlier, upgrade to a kernel version that is later than 5.4.

Troubleshooting

You can restore the service status to normal as follows:

1. Stop agent self-protection.

2. Restart the agent service.

The agent self-protection resumes after the agent service restarts.