Error: Anti-Malware Engine Offline

A common cause for this error is having Secure Boot enabled without a public key enrolled. Before continuing, Secure Boot users should consider checking that a public key is properly enrolled as detailed in the following article: Linux Secure Boot support for agents. If you encounter this error and do not want to use Secure Boot, you can simply disable it to bring the Anti-Malware Engine back online.

This error can occur for a variety of reasons. To resolve the issue, follow the instructions below for the mode of protection that is being used:

For an overview of the Anti-Malware module, see About Anti-Malware.

Agent-based protection

  1. In the Deep Security Manager, check for other errors on the same machine. If errors exist, there could be other issues that are causing your Anti-Malware engine to be offline, such as communications or Deep Security Agent installation failure.
  2. Check communications from the agent to the Deep Security Relay and the manager.
  3. In the Deep Security Manager, view the details for the agent with the issue. Verify that the policy or setting for Anti-Malware is turned on, and that the configuration for each scan (real-time, manual, scheduled) is in place and active. (See Enable and configure anti-malware.)
  4. Deactivate and uninstall the agent before reinstalling and re-activating it. See Uninstall Deep Security and Activate the agent for more information.
  5. In the Deep Security Manager, go to the Updates section for that computer. Verify that the Security Updates are present and current. If not, click Download Security Updates to initiate an update.
  6. Check if there are conflicts with another anti-virus product, such as OfficeScan. If conflicts exist, uninstall the other product and Deep Security Agent, reboot, and reinstall the Deep Security Agent. To remove OfficeScan, see Uninstalling clients or agents in OfficeScan (OSCE).

If your agent is on Windows:

  1. Make sure the following services are running:
    • Trend Micro Deep Security Agent
    • Trend Micro Solution Platform
  2. Check that all the anti-malware related drivers are running properly by running the following commands:

    For all versions of Deep Security Agent:

    • # sc query AMSP

    For Deep Security Agent 12.5 or earlier, also check:

    • # sc query tmcomm
    • # sc query tmactmon
    • # sc query tmevtmgr

    If a driver is not running, restart the Trend Micro services. If it is still not running, continue with the steps below.

  3. Verify the installation method. Only install the MSI, not the zip file.
  4. The agent might need to be manually removed and reinstalled. For more information, see Manually uninstalling Deep Security Agent, Relay, and Notifier from Windows
  5. The installed Comodo certificate could be the cause of the issue. To resolve the issue, see "Anti-Malware Driver offline" status occurs due to Comodo certificate issue.

If your agent is on Linux:

  1. To check that the agent is running, enter the following command in the command line:
    • service ds_agent status
  2. If you're using a Linux server, your kernel might not be supported. For more information, see Error: Module installation failed (Linux).

If the problem is still unresolved after following these instructions, create a diagnostic package and contact support. For more information, see Create a diagnostic package and logs.

Agentless protection

  1. In the Deep Security Manager, verify synchronization to vCenter and NSX. Under the Computers section, right click on your vCenter and go to Properties. Click Test Connection. Then click on the NSX tab and test the connection. Click Add/Update Certificate in case the certificate has changed.
  2. Log into the NSX manager and verify that it is synching to vCenter properly.
  3. Log into your vSphere client and go to Network & Security > Installation > Service Deployments. Check for errors with Trend Micro Deep Security and Guest Introspection, and resolve any that are found.
  4. In vSphere client, go to Network & Security > Service Composer. Verify that the security policy is assigned to the appropriate security group.
  5. Verify that your VMware tools are compatible with Deep Security. For more information, see VMware Tools 10.x Interoperability Issues with Deep Security.
  6. Verify that the File Introspection Driver (vsepflt) is installed and running on the target VM. As an admin, run sc query vsepflt at the command prompt.
  7. All instances and virtual machines deployed from a catalog or vApp template from vCloud Director are given the same BIOS UUID. Deep Security distinguishes different VMs by there BIOS UUID, so a duplicate value in the vCenter causes an Anti-Malware Engine Offline error. To resolve the issue, see VM BIOS UUIDs are not unique when virtual machines are deployed from vApp templates (2002506).

  8. If the problem is still unresolved, open a case with support with the following information:

    • Diagnostic package from each Deep Security Manager. For more information, see Create a diagnostic package and logs.
    • Diagnostic package from the Deep Security Virtual Appliance.
    • vCenter support bundle for the effected VMs.