Enable or disable agent self-protection on Windows
Agent self-protection prevents local users from tampering with the agent. When enabled, if a local user tries to tamper with the agent, a message such as "Removal or modification of this application is prohibited by its security settings" is displayed.
To update or uninstall Deep Security Agent or relay, or if you are a local user trying to create a diagnostic package for support from the command line, as described in Create a diagnostic package and logs, you must temporarily disable agent self-protection.
Anti-Malware protection must be enabled to prevent local users from stopping the agent, as well as from modifying agent-related files and Windows registry entries. However, self-protection is not required to prevent uninstalling the agent.
Before stopping Deep Security Agent, its self-protection, which is, essentially, a safeguard against unauthorized modifications, must be disabled to avoid problems and ensure a smooth operation.
You can configure agent self-protection using either Deep Security Manager or the command line on the agent's computer.
Configure self-protection through Deep Security Manager
- Open the Computer or Policy editor
where you want to enable agent self-protection.
- Select Settings > General.
- In the Agent Self-Protection section, select Yes to prevent local users from uninstalling, stopping, or otherwise modifying the agent.
- For Local override requires password, select Yes and type an authentication password. The authentication password is highly recommended because it prevents an unauthorized use of the dsa_control command. After specifying the password, it must be entered with the dsa_control command using the -p or --passwd= option whenever a command is run on the agent. Note that the password cannot be longer than 32 characters; if this length is exceeded, the password is automatically truncated.
- Click Save.
- To disable self-protection, select No, and then click Save.
Configure agent self-protection using the command line
You can enable and disable self-protection using the command line, with one limitation: you cannot specify an authentication password. You need to use Deep Security Manager for that. See Configure self-protection through Deep Security Manager for details. Note that the password cannot be longer than 32 characters; if this length is exceeded, the password is automatically truncated.
- Log in to the Windows agent locally.
- Open the command prompt (cmd.exe) as an Administrator.
-
Change the current directory to the Deep Security Agent installation folder. The following shows the default installation folder:
cd C:\Program Files\Trend Micro\Deep Security Agent
-
Enter one of the following commands:
To enable agent self-protection, enter:
dsa_control --selfprotect=1
To disable agent self-protection, enter:
dsa_control --selfprotect=0 -p <password>, where -p <password> is the authentication password, if one was previously specified in Deep Security Manager. For details, see Configure self-protection through Deep Security Manager. Note that the password cannot be longer than 32 characters; if this length is exceeded, the password is automatically truncated.