Warning: Anti-Malware Engine has only Basic Functions

When new kernel versions are released, Trend Micro creates and releases kernel support packages for them. If your kernel version is not supported by the Linux agent, the Linux Anti-Malware Engine provides only basic protection to your computers. The Anti-Malware engine will return back to normal status from the basic function mode when your kernel version is supported.

Basic functions

Category Feature name Supported
Scan / Detection Document exploit protection
Predictive machine learning (1)
Behavior monitoring  
Spyware/Grayware
IntelliTrap
Scan compressed file
Smart scan
Connected threat defense
Inclusion / Exclusion Document exploit protection
Directories inclusion
File inclusion
Directories exclusion
File exclusion
File extension exclusion
Process image file exclusion (2)
Quarantine Quarantine file
Restore file
Container Container protection (3)

(1) Predictive machine learning: Even though this may occasionally work (if Trend Micro can get the process image path), it is not reliable and therefore not supported.

(2) Process image file exclusion: This is moved to user-mode match. This mode may have performance impact.

(3) Container protection: Trend Micro cannot protect runtime container workloads in this mode.

Reason IDs

In a case where partial functionality is in operation, to ensure that the Linux agent returns to full functionality, it is necessary to take other steps that depend on the reason ID. The reason ID is included in events forwarded to an external Syslog, SIEM server, or to Amazon SNS. It is also displayed in event description for Linux agent (either Anti-Malware Engine Offline or Anti-Malware Engine with Basic Functions).

  • Reason ID 7: No driver is available for the particular kernel version causes a driver offline error. To resolve this: Check if latest Kernel Support Package (KSP) is released for that particular kernel. File a case to request KSP support.
  • Reason ID 11: The Trend Micro public key--on the system when SecureBoot is enabled--is missing, so loading the driver failed, which caused a driver offline error. To resolve this: Configure Linux Secure Boot for agents.
  • Reason ID 12: The Trend Micro public key--on the system when SecureBoot is enabled--is expired, so loading the driver failed, which caused a driver offline error. To resolve this: Configure Linux Secure Boot for agents.
  • For all other reason IDs: Create a diagnostic package and contact support.
Reason ID Event reason Description
1 Unknown reason The malware scan failed for an unknown reason.
2 Incomplete Anti-Malware installation Incomplete installation of the Anti-Malware service has caused a driver offline error.
3 Failed process communication between DSA and AM service The process communication between the Deep Security Agent and Anti-Malware service failed and had caused a driver offline error.
4 Timeout of restart Windows Anti-Malware service (AMSP) restarted timeout (that is, the sign check process has hung).
5 Stopped Anti-Malware service The Anti-Malware service has stopped unexpectedly and has caused a driver offline error.
6 Failed sign check A Windows files (binaries or DLL) sign check failed unexpectedly.
7 Unavailable kernel version No driver is available for the particular kernel version and has caused a driver offline error.
8 Failed driver loading Load driver via tmhook or bmhook into kernel has failed and has caused a driver offline error.
9 Failed driver unloading

Unloading a driver from kernel failed and has caused a driver offline error.

No such scenario is needed, therefore, Trend Micro never reports this code in DsspState on Linux platforms.

10 Failed driver device opening Opening a driver device file failed and has caused a driver offline error.
11 Missing machine owner key Trend Micro public key Missing machine owner key Trend Micro public key on the system when SecureBoot is enabled results in a driver load failed and this has caused a driver offline error.
12 Expired machine owner key Trend Micro public key The machine owner key Trend Micro public key on the system is expired when SecureBoot is enabled results in a driver load failed and this has caused a driver offline error.
13 Signed with unauthorized public key The driver was signed with an unknown or unsupported public key.
14 Configuration file disable driver Agent is set to not load the driver by configuration INI file. This causes a driver offline state.
15 Policy disable driver Agent is set to not load the driver by the Deep Security policy. This causes a driver offline state.