Installing both Deep Security Agent (DSA) and OfficeScan (OSCE) agent on the same host triggers a Blue-Screen-of-Death (BSoD). This causes driver conflict and crash.
Below are the symptoms of the issue:
- It happens in any VSAPI version.
- System BSoD occurs and its bug check code is "7F".
- Call stack goes through tmevtmgr.sys and tmpreflt.sys recursively.
The problem happens because the tmevtmgr.sys of Deep Security and the tmpreflt.sys of OfficeScan have compatibility issue. If the two are installed together, they will cause kernel stack overflow and BSoD.
To resolve the issue, remove the Deep Security Anti-Malware function:
- Check the AMSP folder. When the DSA and AM/AMSP module are both installed, the AMSP folder is created.
- Find the Tmevtmgr.sys version. This file, which is installed under \SystemRoot\system32\DRIVERS\, exists in both DSA and OSCE but they have different drivers with different versions.
- Check the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tmevtmgr] registry key.
- Identify the version of Tmevtmgr.sys.
- If the version is greater than 5.5, it belongs to DSA AM/AMSP and it is called EYES.
- If the version is 2.x, it belongs to OSCE and it is called AEGIS.
- If the Tmevtmgr.sys version is 5.5 or above, re-install DSA with disabled AM function to avoid the Tmevtmgr.sys file from being replaced again.
- Re-install the OSCE client to rollback the Tmevtmgr.sys file to the version used by OSCE AM.
Other products with Anti-Malware (AM) drivers cannot co-exist as well. For example, if ServerProtect for Microsoft Windows/Novell Netware (SPNT) and DSA are installed on the same machine, DSA will report offline AM due to driver conflict.
Note: In Deep Security 11.3 and above, Deep Security Agent for Windows introduced a design change, once integrity monitoring feature is enabled, even Anti-malware feature has never been enabled, Anti-malware modules will be installed as well. That said, if you use third-party anti-malware products it can work as earlier Deep Security versions, however, if you use other Trend Micro products with anti-malware feature as they use common modules that may cause race condition if it co-exists with Deep Security Agent.