I had a problem activating TM DS Agent with symptoms similar to the ones described in Trend Micro Knowledge Base / Solution ID 1095437 “Anti-malware module of the Deep Security Agent (DSA) shows “Driver offline / Not installed” in the Deep Security Notifier“.
After numerous attempts to uninstall/clean up/reinstall Trend Micro Deep Security Agent the issue still was not resolved.
So, here is the ULTIMATE guide to uninstalling TM DSA that worked for me on several servers:
N.B. If you have network teaming configured, this procedure may break the team or wipe the team’s network stack. Just re-create the team and it should work OK.
- Uninstall the DSA from the server
- Run the tbclean.exe utility. See [Solution ID 1054528]
- Clean up the registry
HKEY_LOCAL_MACHINESOFTWARETrendMicroAEGIS
HKEY_LOCAL_MACHINESOFTWARETrendMicroAMSP
HKEY_LOCAL_MACHINESOFTWARETrendMicroAMSPStatus
HKEY_LOCAL_MACHINESOFTWARETrendMicroDeep Security Agent
HKEY_LOCAL_MACHINESOFTWARETrendMicroWL
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesAmsp
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesds_agent
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesds_notifier
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicestbimdsa
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicestmactmon
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicestmcomm
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicestmevtmgr
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetserviceseventlogApplicationDeep Security Agent
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetserviceseventlogApplicationDeep Security Relay
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetserviceseventlogSystemtbimdsa
HKEY_LOCAL_MACHINESOFTWAREClassesInstallerFeaturesC4AF20E48325C454BBBE163E418FCEA9
HKEY_LOCAL_MACHINESOFTWAREClassesInstallerProductsC4AF20E48325C454BBBE163E418FCEA9
HKEY_LOCAL_MACHINESOFTWAREClassesInstallerUpgradeCodes689D08D76B5A47A4FB59D97D2C4B9308
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInstallerUpgradeCodes689D08D76B5A47A4FB59D97D2C4B9308
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall{4E02FA4C-5238-454C-BBEB-61E314F8EC9A} - Restart the server
- Check if any of these files or folders are present and delete them if found:
C:WINDOWSSystem32Driverstbimdsa.sys
C:WINDOWSSystem32Driverstmactmon.sys
C:WINDOWSSystem32Driverstmcomm.sys
C:WINDOWSSystem32Driverstmevtmgr.sys
C:WINDOWSSystem32LogFilesds_agent
C:Program FilesTrend MicroAMSP
C:Program FilesTrend MicroDeep Security AgentAgent
C:Program FilesTrend MicroDeep Relay of Security SettingsLocal (Relay)
C:Program FilesTrend MicroDeep Notifier of Security SettingsLocal (Notifier)
C:ProgramDataMicrosoftWindowsStart MenuProgramsTrend MicroDeep SecurityTrend Micro Deep Security Notifier (for Windows 2008)
C:Documents and SettingsAll UsersStart menuprogramsTrend Micro Deep SecurityTrend Micro Deep Security Notifier (for Windows 2003)
C:WindowsInstaller{4E02FA4C-5238-454C-BBEB-61E314F8EC9A}/Agent 64-bit - Reviewing the file C:Windowsinfsetupapi.dev.log.
Look for entries containing tmcomm.sys, tmevtmgr.sys and tmactmon.sys On this entries you will be able to identify if there are any remains of a previous installation, look for lines like “Installing catalog (any of the three drivers above).cat as:” note the dates of the installation and the oemXX.inf files used to install these drivers. - Uninstall the existing tmcomm.sys, tmevtmgr.sys and tmactmon.sys using pnputil -d oemfile.inf (on this particular computer oem26.inf, oem27.inf and oem28.inf)
Identify which oemXX.inf files you need to uninstall by reviewing the setupapi.dev.log - Delete any catalog files for AMSP drivers present in C:Windowssystem32catroot
(on this particular computer oem9.cat, oem10.cat and oem11.cat) that are leftovers from previous installations and that tbclean and pnputil did not remove - Delete old driver files present in windows driver store
C:Windowssystem32DriverStoreFileRepositorytmxxxx (folders)
N.B. You might need to take ownership of those folders - Install all the comodo certificates following the KB: http://esupport.trendmicro.com/solution/en-US/1104241.aspx
Remember to place them in the appropriate store. - Reinstall the DSA using the freshly downloaded installation package. [Trend Micro Software Download Center]
- Restart the server
- Verify that the drivers are present in the device manager (using view non P&P devices), you should see the following drivers tmcomm.sys, tmevtmgr.sys and tmactmon.sys
- Deactivate the agent on the DSM (to remove the old association)
- Activate the agent from the DSM.
If you prefer using the agent initiated activation use this command: “dsa_control /a dsm://<host or IP>:<port>/
” (default port 4120)
Hope this will help
activating with dsa_control /a dsm://:/ does not work on 9.5. You have to use dsa_control -a dsm://:/”
Notice the DASH (-) instead of the SLASH (/)!
Thank you, Nikolaj!
Thank you,
It works for me, thank you very much