The "Anti-Malware Driver offline" error appears on Windows 2003 server with the following details in the Event logs:
Event ID: 9017 Event: Anti-Malware Component Update Failed Description: A failure occurred during an Anti-Malware Component Update. Error Code: 9 Error Message: AMSP error code (0x20ff0000)
In some instances, the event ID would be 9051 and the following message might appear:
Can't read value of 'HKLM\SOFTWARE\TrendMicro\Deep Security Agent\AntiMalware\AmspDep' (error 2: le fichier spécifié est introuvable.) Error: Can't open registry key 'HKLM\SYSTEM\CurrentControlSet\services\tmevtmgr' (error 2: le fichier spécifié est introuvable.) Error: AddSelfException() failed: 0xe0ff0001
This error usually appears because the signature verification checking for the Anti-Malware driver failed. The Anti-Malware component uses WINAPI for checking the digital signature and this process failed due to a certificate chain that could not be built to a trusted root authority.
The reason for this is the outdated root and intermediate certificates in the server.
Normally, this can be resolved by doing a Windows Update. However, since Microsoft has already discontinued Windows 2003, Windows Update for this version is no longer available.
To resolve this, do the following:
- On the affected agent machine, download the rootsupd.exe file. Unzip the file using the password "novirus".
- Create a folder c:\temp and extract the files using the command "rootsupd.exe /c /t:C:\temp\extroot". If it prompts that folder doesn't exist, manually create c:\temp\extroot.
- Open an administrator command line, and from c:\temp\extroot, run the following commands:
updroots.exe -l roots.sst
updroots.exe -d delroots.sst
- Manually import the Trend Micro certificates again to build the certification chain for the OS to recognize the signature of our drivers. Follow this article for the complete procedure: Updating the Comodo certificate on Deep Security.
- Reboot the machine.