Enable or disable agent self-protection on Windows

Agent self-protection prevents local users from tampering with the agent. When enabled, if a local user tries to tamper with the agent, a message such as "Removal or modification of this application is prohibited by its security settings" is displayed.

To update or uninstall Deep Security Agent or relay, or if you are a local user trying to create a diagnostic package for support from the command line, as described in Create a diagnostic package and logs, you must temporarily disable agent self-protection.

Anti-Malware protection must be enabled to prevent local users from stopping the agent, as well as from modifying agent-related files and Windows registry entries. However, self-protection is not required to prevent uninstalling the agent.

Before stopping Deep Security Agent, its self-protection, which is, essentially, a safeguard against unauthorized modifications, must be disabled to avoid problems and ensure a smooth operation.

You can configure agent self-protection using either Deep Security Manager or the command line on the agent's computer.

Configure self-protection through Deep Security Manager

  1. Open the Computer or Policy editorClosed where you want to enable agent self-protection.
  2. Select Settings > General.
  3. In the Agent Self-Protection section, select Yes to prevent local users from uninstalling, stopping, or otherwise modifying the agent.
  4. For Local override requires password, select Yes and type an authentication password. The authentication password is highly recommended because it prevents an unauthorized use of the dsa_control command. After specifying the password, it must be entered with the dsa_control command using the -p or --passwd= option whenever a command is run on the agent. Note that the password cannot be longer than 32 characters; if this length is exceeded, the password is automatically truncated.
  5. Click Save.
  6. To disable self-protection, select No, and then click Save.

Configure agent self-protection using the command line

You can enable and disable self-protection using the command line, with one limitation: you cannot specify an authentication password. You need to use Deep Security Manager for that. See Configure self-protection through Deep Security Manager for details. Note that the password cannot be longer than 32 characters; if this length is exceeded, the password is automatically truncated.

  1. Log in to the Windows agent locally.
  2. Open the command prompt (cmd.exe) as an Administrator.
  3. Change the current directory to the Deep Security Agent installation folder. The following shows the default installation folder:

    cd C:\Program Files\Trend Micro\Deep Security Agent

  4. Enter one of the following commands:

    To enable agent self-protection, enter:

    dsa_control --selfprotect=1

    To disable agent self-protection, enter:

    dsa_control --selfprotect=0 -p <password>, where -p <password> is the authentication password, if one was previously specified in Deep Security Manager. For details, see Configure self-protection through Deep Security Manager. Note that the password cannot be longer than 32 characters; if this length is exceeded, the password is automatically truncated.