Summary
The "Anti-Malware Driver offline" error appears on Windows server with the following details in the Event logs:
Event ID: 9017 Event: Anti-Malware Component Update Failed Description: A failure occurred during an Anti-Malware Component Update. Error Code: 9 Error Message: AMSP error code (0x20ff0000)
In some instances, the event ID would be 9051 and the following message might appear:
Can't read value of 'HKLM\SOFTWARE\TrendMicro\Deep Security Agent\AntiMalware\AmspDep' (error 2: le fichier spécifié est introuvable.) Error: Can't open registry key 'HKLM\SYSTEM\CurrentControlSet\services\tmevtmgr' (error 2: le fichier spécifié est introuvable.) Error: AddSelfException() failed: 0xe0ff0001
The ds_agent.log file may also show the following:
Line 631: 2019-09-17 17:19:33.324322 [+0800]: [dsa.Heartbeat/5] | CommandLoader(cmd.GetComponentInfo): found handler in module dsa.Command.cmd.GetComponentInfo - added handler to cache | .\dsa\ConnectionHandler.lua:821:CommandLoader | 1D6C:1684:dsa.Scheduler_0002
Line 632: 2019-09-17 17:19:33.396322 [+0800]: [Warning/2] | Error retrieving component info from AMSP: 9 | .\dsp\am\Windows.lua:342:getComponentInfo | 1D6C:1684:dsa.Scheduler_0002
Line 723: 2019-09-17 17:19:34.018322 [+0800]: [Warning/2] | Error retrieving component info from AMSP: 9 | .\dsp\am\Windows.lua:342:getComponentInfo | 1D6C:1ED0:dsa.NotifySvc
This error usually appears because the signature verification checking for the Anti-Malware driver failed. The Anti-Malware component uses WINAPI for checking the digital signature and this process failed due to a certificate chain that could not be built to a trusted root authority.
The reason for this is the outdated root and intermediate certificates in the server.
Normally, this can be resolved by doing a Windows Update. However, Windows Update for unsupported versions may no longer be available.
To resolve this, do the following:
- On the affected agent machine, download the rootsupd.exe file.
Unzip the file using the password "novirus".
- Create a folder c:\temp and extract the files using the command "rootsupd.exe /c /t:C:\temp\extroot". If it prompts that folder doesn't exist, manually create c:\temp\extroot.
- Open an administrator command line, and from c:\temp\extroot, run the following commands:
updroots.exe authroots.sst
updroots.exe updroots.sst
updroots.exe -l roots.sst
updroots.exe -d delroots.sst
- Manually import the Trend Micro certificates again to build the certification chain for the OS to recognize the signature of our drivers. Follow this article for the complete procedure: Updating the Comodo certificate on Deep Security.
- Reboot the machine.
