If a server unexpectedly reboots due to third-party bmhook and tmhook modules triggered by Trend Micro Deep Security, there are several steps that can be taken to resolve the issue. First, check the KSP release time to see if it corresponds to the time of the unexpected reboot. The 20.0.0-8778 KSP release time can be found on the Trend Micro website.

Next, check the System_Events.csv file to see if a security update occurred after the time of the unexpected reboot. If so, check the ds_agent.log file to see if the KSP import operation was successful. If the log recording the KSP import time is no longer available, check the ctime of the vfs_filter_3_10_0_1160_105_1_el7_x86_64-redhat_el7-20.0.0.x86_64 file in the /opt/ds_agent/dsp directory.

If the customer hasn't made any changes to /opt/ds_agent/dsp, the ctime should roughly correspond to the time when KSP was imported. If the KSP import was successful, the issue should be resolved. If not, please contact Trend Micro support for further assistance.