Troubleshooting Trend Micro Deep Security: Fixing the "Anti-Malware Driver Offline/Not Installed" Error 

If you are managing servers with Trend Micro Deep Security, seeing the status "Anti-Malware Driver Offline / Not Installed" can be frustrating. This error indicates that the Deep Security Agent (DSA) cannot communicate with or initialize the core anti-malware drivers, leaving your workload vulnerable.  Why is the Driver Showing as Offline? 

Commonly, this issue occurs on Windows machines when the installation is corrupted or a critical service fails to start. Key reasons include: 

Missing Root Certificates: The Windows OS may lack the necessary CA certificates to verify the driver’s digital signature, preventing installation.

Secure Boot Issues: On Linux or newer Windows servers, if Secure Boot is enabled and the Trend Micro public key isn't enrolled, the driver will be blocked.

Software Conflicts: Other antivirus products like OfficeScan, Apex One, or ServerProtect can prevent the DSA driver from loading.

Comodo Certificate Issues: A specific known conflict with Comodo certificates can trigger this "offline" status.  Step-by-Step Troubleshooting Guide  1. Initial Verification 

Before performing a full reinstall, check if the necessary services are running: 

Trend Micro Deep Security Agent and Trend Micro Solution Platform services should be "Running".

Run the following commands in an elevated command prompt to check driver status: sc query AMSP sc query tmcomm sc query tmactmon sc query tmevtmgr

If any of these are stopped, try restarting the Trend Micro Deep Security Agent service.  2. Resolving Secure Boot Conflicts 

If you have Secure Boot enabled, you must enroll the Trend Micro public key. Alternatively, you can temporarily disable Secure Boot to confirm if it is the cause of the offline status.  3. Fixing Certificate & Signature Issues 

If the server is not regularly updated, it may fail to verify the driver's signature: 

Apply the latest Microsoft Windows Updates to ensure root certificates are current.

If a Comodo certificate is causing the issue, you may need to manually delete specific driver files like tbimdsa.sys and tmcomm.sys before reinstalling.  4. The Clean Reinstallation (Recommended Fix) 

Most "corrupted installation" cases are best solved by a clean wipe and fresh install: 

Anti-Malware: Driver offline / Not installed - Deep Security

When dealing with Trend Micro Deep Security, specifically when the anti-malware driver is not installed or not running properly (often referred to as being "offline"), there are several steps you can take to troubleshoot and potentially resolve the issue. Here’s a structured approach:

3.2 Driver Registration & Kernel Loading Failures

• Registry Corruption: The driver’s service registry key (under HKLM\SYSTEM\CurrentControlSet\Services\) is missing or has invalid ImagePath or Start values.
• Digital Signature Enforcement: On 64-bit Windows with Secure Boot enabled, if the driver’s signature is expired, revoked, or not properly trusted (e.g., missing root certificate update), the kernel refuses to load it. Trend Micro drivers are signed, but certificate chain issues can arise.
• Dependency Failure: The AM driver may depend on other Trend Micro components (e.g., tmactmon – Trend Micro Activity Monitor) that failed to load first.
• Boot-Start Driver Conflicts: A third-party security driver (e.g., from McAfee, Symantec, or a low-level backup filter) loads earlier and prevents Trend Micro’s filter from attaching to the file system stack (DO_BUFFERED_IO conflicts).

Resolved: “Trend Micro Deep Security Anti-Malware Driver Offline Not Installed” – Causes and Fixes

Introduction: A Critical Alert for Virtualized Environments

For system administrators managing hybrid data centers or large-scale virtualized environments (VMware, Hyper-V, or AWS), Trend Micro Deep Security is a cornerstone of workload protection. Its "Agentless Anti-Malware" feature is particularly prized because it offloads scanning responsibilities to the hypervisor, saving memory and CPU cycles on individual virtual machines (VMs).

However, a common and frustrating error message can appear in the Deep Security Manager (DSM) console or event logs:

"Anti-Malware Driver Offline – Not Installed"

This alert typically appears with an orange or yellow warning triangle on the "Overview" or "Computer" tab. What makes this issue particularly perplexing is that it often happens offline—meaning the VM is powered on and appears functional, but the driver is either missing, corrupt, or disabled.

If you are seeing this status, your VMs are not protected against malware. This article explains exactly why this happens and provides a step-by-step guide to resolve it.

What Does “Offline Not Installed” Mean?

When you see this status, one of three conditions is true:

1. The anti-malware driver is missing from the VM’s operating system (agent-based deployments).
2. The hypervisor integration service (VMware Tools/Hyper-V Integration Services) is not running or outdated.
3. The Deep Security Virtual Appliance (DSVA) cannot communicate with the ESXi host or Hyper-V server.

The word "offline" is key. It does not mean the VM is powered off. It means the driver service is not responding to DSM heartbeats.

Step 1 – Reinstall the Anti-Malware Feature

• In DSM, right-click the computer → Components → Assign/Unassign → ensure Anti-Malware is checked.
• Push Activate or reinstall the agent using the full package (with AM enabled).

1. Overview of the Driver

The Trend Micro Deep Security Anti-Malware driver (typically ds_driver.sys or similar kernel-mode driver) is responsible for:

• Real-time file system scanning
• Behavior monitoring
• Malware signature matching at the kernel level

In a standard online installation, the driver is deployed automatically when the Deep Security Agent is installed or activated.

2. Reinstall the Anti-Malware Feature

Using the Deep Security Manager:

1. Go to Policies → select the policy assigned to the computer.
2. Under Anti-Malware → General → Uncheck "Enable Anti-Malware" → Save.
3. Wait for policy update on the agent.
4. Re-check "Enable Anti-Malware" → Save → Force policy update.

Or manually reinstall the component via command line on the agent machine:

cd "C:\Program Files\Trend Micro\Deep Security Agent"
dsa_control -r  # Remove anti-malware component
dsa_control -a  # Reinstall

Root Causes

The failure to install the Anti-Malware driver (kernel module) is usually caused by one of the following factors:

1. Missing Kernel Headers/Devel Packages: The Deep Security Anti-Malware driver is a kernel module. On Linux systems, if the kernel headers matching the current running kernel are not present, the driver cannot compile or install.
2. Incompatible Kernel Version: The operating system kernel has been updated to a version newer than what the current Deep Security Agent supports.
3. Secure Boot (UEFI): If Secure Boot is enabled in the BIOS, the operating system may block the loading of unsigned third-party kernel modules (like the Trend Micro AM driver).
4. GCC Compiler Issues: The driver compilation process requires the GNU Compiler Collection (GCC). If the version of GCC used to compile the kernel differs from the version installed on the system, compilation may fail.
5. File System Permissions: The account running the Deep Security Agent service may lack the necessary permissions to write to the module directories (e.g., /lib/modules).

Method C: Pre-Compiled Drivers (Relay Method)

If the endpoint cannot compile its own driver (e.g., lack of compiler tools), you can download pre-compiled drivers from Trend Micro.

1. Open the Deep Security Manager (DSM) console.
2. Navigate to Support > Downloads.
3. Download the Deep Security Driver Package that matches your agent version.
4. Import the driver package into DSM via Administration > System Settings > Drivers.
5. Once imported, the agent will attempt to download the pre-compiled binary from the manager instead of building it locally.