Enable or disable agent self-protection on Windows

Agent self-protection prevents local users from tampering with the agent. When enabled, if a user tries to tamper with the agent, a message such as "Removal or modification of this application is prohibited by its security settings" is displayed.

To update or uninstall Deep Security Agent or relay, or if you are a local user trying to create a diagnostic package for support from the command line, as described in Create a diagnostic package and logs, you must temporarily disable agent self-protection.

Anti-Malware protection must be enabled to prevent users from stopping the agent, as well as from modifying agent-related files and Windows registry entries. However, it is not required to prevent uninstalling the agent.

You can configure agent self-protection using either Deep Security Manager or the command line on the agent's computer.

The agent self-protection feature is also available for agents on Linux. For more information, see Enable or disable agent self-protection on Linux.

Configure self-protection through Deep Security Manager

  1. Open the Computer or Policy editorClosedYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). where you want to enable agent self-protection.
  2. Select Settings > General.
  3. In the Agent Self-Protection section, select Yes to prevent local end-users from uninstalling, stopping, or otherwise modifying the agent.
  4. For Local override requires password, select Yes and type an authentication password. The authentication password is highly recommended because it prevents an unauthorized use of the dsa_control command. After specifying the password, it must be entered with the dsa_control command using the -p or --passwd= option whenever a command is run on the agent.
  5. Click Save.
  6. To disable the setting, select No.
  7. Click Save.

Configure agent self-protection using the command line

You can enable and disable self-protection using the command line, with one limitation: you cannot specify an authentication password. You need to use Deep Security Manager for that. See Configure self-protection through Deep Security Manager for details.

  1. Log in to the Windows agent locally.
  2. Open the command prompt (cmd.exe) as an Administrator.
  3. Change the current directory to the Deep Security Agent installation folder. The following shows the default installation folder:

    cd C:\Program Files\Trend Micro\Deep Security Agent

  4. Enter one of the following commands:

    To enable agent self-protection, enter:

    dsa_control --selfprotect=1

    To disable agent self-protection, enter:

    dsa_control --selfprotect=0 -p <password>, where -p <password> is the authentication password, if one was previously specified in Deep Security Manager. For details, see Configure self-protection through Deep Security Manager.