Event ID 9017 shows on Deep Security Agent running on Windows server

Product / Version includes:

Deep Security 9.6 , Deep Security 10.0

Last updated: 2025/05/08

Solution ID: KA-0007135

Category: Troubleshoot

Summary

The "Anti-Malware Driver offline" error appears on Windows server with the following details in the Event logs:

Event ID: 9017  Event: Anti-Malware Component Update Failed  Description: A failure occurred during an Anti-Malware Component Update.    Error Code: 9  Error Message: AMSP error code (0x20ff0000)

In some instances, the event ID would be 9051 and the following message might appear:

Can't read value of 'HKLM\SOFTWARE\TrendMicro\Deep Security Agent\AntiMalware\AmspDep' (error 2: le fichier spécifié est introuvable.) Error: Can't open registry key 'HKLM\SYSTEM\CurrentControlSet\services\tmevtmgr' (error 2: le fichier spécifié est introuvable.) Error: AddSelfException() failed: 0xe0ff0001

The ds_agent.log file may also show the following:

Line 631: 2019-09-17 17:19:33.324322 [+0800]: [dsa.Heartbeat/5] | CommandLoader(cmd.GetComponentInfo): found handler in module dsa.Command.cmd.GetComponentInfo - added handler to cache | .\dsa\ConnectionHandler.lua:821:CommandLoader | 1D6C:1684:dsa.Scheduler_0002
Line 632: 2019-09-17 17:19:33.396322 [+0800]: [Warning/2] | Error retrieving component info from AMSP: 9 | .\dsp\am\Windows.lua:342:getComponentInfo | 1D6C:1684:dsa.Scheduler_0002
Line 723: 2019-09-17 17:19:34.018322 [+0800]: [Warning/2] | Error retrieving component info from AMSP: 9 | .\dsp\am\Windows.lua:342:getComponentInfo | 1D6C:1ED0:dsa.NotifySvc

This error usually appears because the signature verification checking for the Anti-Malware driver failed. The Anti-Malware component uses WINAPI for checking the digital signature and this process failed due to a certificate chain that could not be built to a trusted root authority.

The reason for this is the outdated root and intermediate certificates in the server.

Normally, this can be resolved by doing a Windows Update. However, Windows Update for unsupported versions may no longer be available.

To resolve this, do the following:

On the affected agent machine, download the rootsupd.exe file.

Unzip the file using the password "novirus".
Create a folder c:\temp and extract the files using the command "rootsupd.exe /c /t:C:\temp\extroot". If it prompts that folder doesn't exist, manually create c:\temp\extroot.
Open an administrator command line, and from c:\temp\extroot, run the following commands:
updroots.exe authroots.sst
updroots.exe updroots.sst
updroots.exe -l roots.sst
updroots.exe -d delroots.sst
Manually import the Trend Micro certificates again to build the certification chain for the OS to recognize the signature of our drivers. Follow this article for the complete procedure: Updating the Comodo certificate on Deep Security.
Reboot the machine.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Event ID 9017 shows on Deep Security Agent running on Windows server

Event ID 9017 shows on Deep Security Agent running on Windows server

Product / Version includes:

Summary