Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Blue-Screen-of-Death occurs when installing Deep Security Agent and OfficeScan Agent on the same host

    • Updated:
    • 13 Mar 2020
    • Product/Version:
    • Deep Security 9.6
    • OfficeScan 11.0
    • ServerProtect
    • Platform:
    • Windows 10 32-bit
    • Windows 10 64-bit
    • Windows 2003 Enterprise
    • Windows 2008 Enterprise
    • Windows 2012 Enterprise
    • Windows 7 32-bit
    • Windows 7 64-bit
    • Windows 8 32-bit
    • Windows 8 64-bit
    • Windows 8.1 32-bit
    • Windows 8.1 64-bit
    • Windows Vista 32-bit
    • Windows Vista 64-bit

Installing both Deep Security Agent (DSA) and OfficeScan (OSCE) agent on the same host triggers a Blue-Screen-of-Death (BSoD). This causes driver conflict and crash.

Below are the symptoms of the issue:

  • It happens in any VSAPI version.
  • System BSoD occurs and its bug check code is "7F".
  • Call stack goes through tmevtmgr.sys and tmpreflt.sys recursively.

The problem happens because the tmevtmgr.sys of Deep Security and the tmpreflt.sys of OfficeScan have compatibility issue. If the two are installed together, they will cause kernel stack overflow and BSoD.

To resolve the issue, remove the Deep Security Anti-Malware function:

  1. Check the AMSP folder. When the DSA and AM/AMSP module are both installed, the AMSP folder is created.
  2. Find the Tmevtmgr.sys version. This file, which is installed under \SystemRoot\system32\DRIVERS\, exists in both DSA and OSCE but they have different drivers with different versions.
    1. Check the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tmevtmgr] registry key.
    2. Identify the version of Tmevtmgr.sys.


      • If the version is greater than 5.5, it belongs to DSA AM/AMSP and it is called EYES.
      • If the version is 2.x, it belongs to OSCE and it is called AEGIS.
  3. If the Tmevtmgr.sys version is 5.5 or above, re-install DSA with disabled AM function to avoid the Tmevtmgr.sys file from being replaced again.
  4. Re-install the OSCE client to rollback the Tmevtmgr.sys file to the version used by OSCE AM.

Other products with Anti-Malware (AM) drivers cannot co-exist as well. For example, if ServerProtect for Microsoft Windows/Novell Netware (SPNT) and DSA are installed on the same machine, DSA will report offline AM due to driver conflict.

Note: In Deep Security 11.3 and above, Deep Security Agent for Windows introduced a design change, once integrity monitoring feature is enabled, even Anti-malware feature has never been enabled, Anti-malware modules will be installed as well. That said, if you use third-party anti-malware products it can work as earlier Deep Security versions, however, if you use other Trend Micro products with anti-malware feature as they use common modules that may cause race condition if it co-exists with Deep Security Agent.

Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.