Visitors

The Ultimate Guide to uninstalling Trend Micro Deep Security Agent

I had a problem activating TM DS Agent with symptoms similar to the ones described in Trend Micro Knowledge Base / Solution ID 1095437 “Anti-malware module of the Deep Security Agent (DSA) shows “Driver offline / Not installed” in the Deep Security Notifier“.

After numerous attempts to uninstall/clean up/reinstall Trend Micro Deep Security Agent the issue still was not resolved.

So, here is the ULTIMATE guide to uninstalling TM DSA that worked for me on several servers:

N.B. If you have network teaming configured, this procedure may break the team or wipe the team’s network stack. Just re-create the team and it should work OK.

  1. Uninstall the DSA from the server
  2. Run the tbclean.exe utility. See [Solution ID 1054528]
  3. Clean up the registry
    HKEY_LOCAL_MACHINESOFTWARETrendMicroAEGIS
    HKEY_LOCAL_MACHINESOFTWARETrendMicroAMSP
    HKEY_LOCAL_MACHINESOFTWARETrendMicroAMSPStatus
    HKEY_LOCAL_MACHINESOFTWARETrendMicroDeep Security Agent
    HKEY_LOCAL_MACHINESOFTWARETrendMicroWL
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesAmsp
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesds_agent
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesds_notifier
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicestbimdsa
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicestmactmon
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicestmcomm
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicestmevtmgr
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetserviceseventlogApplicationDeep Security Agent
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetserviceseventlogApplicationDeep Security Relay
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetserviceseventlogSystemtbimdsa
    HKEY_LOCAL_MACHINESOFTWAREClassesInstallerFeaturesC4AF20E48325C454BBBE163E418FCEA9
    HKEY_LOCAL_MACHINESOFTWAREClassesInstallerProductsC4AF20E48325C454BBBE163E418FCEA9
    HKEY_LOCAL_MACHINESOFTWAREClassesInstallerUpgradeCodes689D08D76B5A47A4FB59D97D2C4B9308
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInstallerUpgradeCodes689D08D76B5A47A4FB59D97D2C4B9308
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall{4E02FA4C-5238-454C-BBEB-61E314F8EC9A}
  4. Restart the server
  5. Check if any of these files or folders are present and delete them if found:
    C:WINDOWSSystem32Driverstbimdsa.sys
    C:WINDOWSSystem32Driverstmactmon.sys
    C:WINDOWSSystem32Driverstmcomm.sys
    C:WINDOWSSystem32Driverstmevtmgr.sys
    C:WINDOWSSystem32LogFilesds_agent
    C:Program FilesTrend MicroAMSP
    C:Program FilesTrend MicroDeep Security AgentAgent
    C:Program FilesTrend MicroDeep Relay of Security SettingsLocal (Relay)
    C:Program FilesTrend MicroDeep Notifier of Security SettingsLocal (Notifier)
    C:ProgramDataMicrosoftWindowsStart MenuProgramsTrend MicroDeep SecurityTrend Micro Deep Security Notifier (for Windows 2008)
    C:Documents and SettingsAll UsersStart menuprogramsTrend Micro Deep SecurityTrend Micro Deep Security Notifier (for Windows 2003)
    C:WindowsInstaller{4E02FA4C-5238-454C-BBEB-61E314F8EC9A}/Agent 64-bit
  6. Reviewing the file C:Windowsinfsetupapi.dev.log.
    Look for entries containing tmcomm.sys, tmevtmgr.sys and tmactmon.sys On this entries you will be able to identify if there are any remains of a previous installation, look for lines like “Installing catalog (any of the three drivers above).cat as:” note the dates of the installation and the oemXX.inf files used to install these drivers.
  7. Uninstall the existing tmcomm.sys, tmevtmgr.sys and tmactmon.sys using pnputil -d oemfile.inf (on this particular computer oem26.inf, oem27.inf and oem28.inf)
    Identify which oemXX.inf files you need to uninstall by reviewing the setupapi.dev.log
  8. Delete any catalog files for AMSP drivers present in C:Windowssystem32catroot
    (on this particular computer oem9.cat, oem10.cat and oem11.cat) that are leftovers from previous installations and that tbclean and pnputil did not remove
  9. Delete old driver files present in windows driver store
    C:Windowssystem32DriverStoreFileRepositorytmxxxx (folders)
    N.B. You might need to take ownership of those folders
  10. Install all the comodo certificates following the KB: http://esupport.trendmicro.com/solution/en-US/1104241.aspx
    Remember to place them in the appropriate store.
  11. Reinstall the DSA using the freshly downloaded installation package. [Trend Micro Software Download Center]
  12. Restart the server
  13. Verify that the drivers are present in the device manager (using view non P&P devices), you should see the following drivers tmcomm.sys, tmevtmgr.sys and tmactmon.sys
  14. Deactivate the agent on the DSM (to remove the old association)
  15. Activate the agent from the DSM.
    If you prefer using the agent initiated activation use this command: “dsa_control /a dsm://<host or IP>:<port>/” (default port 4120)

Hope this will help

3 comments to The Ultimate Guide to uninstalling Trend Micro Deep Security Agent

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>