Summary
Deep Security Agent (DSA) shows “Anti-Malware Driver offline” status on the Deep Security Manager (DSM) console.
Details
The offline status of the DSA is due to the installed Comodo certificate. To resolve the issue, delete files related to the certificate installed, and reinstall the Comodo certificate:
- Uninstall DSA manually.
- Restart the server.
- Look for the following files or folders, and delete them if found:
- C:\WINDOWS\System32\Drivers\tbimdsa.sys
- C:\WINDOWS\System32\Drivers\tmactmon.sys
- C:\WINDOWS\System32\Drivers\tmcomm.sys
- C:\WINDOWS\System32\Drivers\tmevtmgr.sys
- C:\WINDOWS\System32\LogFiles\ds_agent\
- C:\Program Files\Trend Micro \AMSP\
- C:\Program Files\Trend Micro \Deep Security Agent\Agent
- C:\Program Files\Trend Micro \Deep Relay of Security Settings\Local (Relay)
- C:\Program Files\Trend Micro \Deep Notifier of Security Settings\Local (Notifier)
- C:\ProgramData\Microsoft\Windows\Start Menu \Programs\Trend Micro\
- Deep Security\Trend Micro Deep Security Notifier (for Windows 2008)
- C:\Documents and Settings\All Users\Start menu\programs\Trend Micro\
- Deep Security\Trend Micro Deep Security Notifier (for Windows 2003)
- C:\Windows\Installer\ {4E02FA4C-5238-454C-BBEB-61E314F8EC9A} / (Agent 64-bit)
- From the C:\Windows\inf\setupapi.dev.log file, look for entries containing the following:
- tmcomm.sys
- tmevtmgr.sys
- tmactmon.sys
These entries will enable you to identify if there are any remains of the previous installation. Look for "Installing catalog (any of the three drivers above).cat as:" and note the dates of the installation and the oemXX.inf files used to install these drivers. - Uninstall the existing tmcomm.sys, tmevtmgr.sys and tmactmon.sys by executing "pnputil -d oemfile.inf".
Identify which oemXX.inf files you need to uninstall by reviewing the setupapi.dev.log. - Delete any catalog files for AMSP drivers present in C:\Windows\system32\catroot, which are remains from the previous installations and that were not removed.
Note: These files will be appearing as oem01.cat or oem12.cat.
- Delete old driver files present in the Windows Driver Store, C:\Windows\system32\DriverStore\FileRepository\tmxxxx (folders).
- Install all the Comodo certificates. Make sure to place them in the appropriate store.
- Reinstall the DSA using a freshly downloaded installation package.
- Restart the server.
- Verify that the drivers are present in the Device Manager using non P&P devices. You should see the following drivers:
- tmcomm.sys
- tmevtmgr.sys
- tmactmon.sys
- Deactivate the agent on the DSM to remove the old associations.
- Activate the agent from the DSM again.
