Enable or disable agent self-protection

The agent self-protection feature is only available for agents on Windows. It is not available on Linux.

Agent self-protection prevents local users from tampering with the agent. When enabled, if a user tries to tamper with the agent, a message such as "Removal or modification of this application is prohibited by its security settings" will be displayed.

To update or uninstall Deep Security Agent or Relay, or to create a diagnostic package for support (see Create a diagnostic package and logs), you must temporarily disable agent self-protection.

Anti-Malware protection must be "On" to prevent users from stopping the agent, and from modifying agent-related files and Windows registry entries. It isn't required, however, to prevent uninstalling the agent.

You can configure agent self-protection using either the Deep Security Manager, or the command line on the agent's computer.

Configure self-protection through Deep Security Manager

  1. Open the Computer or Policy editorClosedYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). where you want to enable agent self-protection.
  2. Click Settings > General.
  3. In the Agent Self-Protection section, for Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent, select Yes.
  4. For Local override requires password, select Yes and type an authentication password. The authentication password is highly recommended because it prevents unauthorized use of the dsa_control command line utility. After specifying the password here, it must be entered into the dsa_control command line utility using the -p or --passwd= option whenever a command is run on the agent.
  5. Click Save.
  6. To disable the setting, select No. Click Save.

Configure self-protection using the command line

You can enable and disable self-protection using the command line. The command line has one limitation: you cannot specify an authentication password. You'll need to use Deep Security Manager for that. See Configure self-protection through Deep Security Manager for details.

  1. Log in to the Windows agent locally.
  2. Open the Command Prompt (cmd.exe) as Administrator.
  3. Change the current directory to the Deep Security Agent installation folder. (The default install folder is shown below.)

    cd C:\Program Files\Trend Micro\Deep Security Agent

  4. Enter one of the following commands:

    To enable agent self-protection, enter:

    dsa_control --selfprotect=1

    To disable agent self-protection, enter:

    dsa_control --selfprotect=0 -p <password>

    where -p <password> is the authentication password, if one was specified previously in Deep Security Manager. For details on this password, see Configure self-protection through Deep Security Manager.