I had a problem activating TM DS Agent with symptoms similar to the ones described in Trend Micro Knowledge Base / Solution ID 1095437 “Anti-malware module of the Deep Security Agent (DSA) shows “Driver offline / Not installed” in the Deep Security Notifier“.
After numerous attempts to uninstall/clean up/reinstall Trend Micro Deep Security Agent the issue still was not resolved.
So, here is the ULTIMATE guide to uninstalling TM DSA that worked for me on several servers:
N.B. If you have network teaming configured, this procedure may break the team or wipe the team’s network stack. Just re-create the team and it should work OK.
- Uninstall the DSA from the server
- Run the tbclean.exe utility. See [Solution ID 1054528]
- Clean up the registry
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\AEGIS
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\AMSP
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\AMSPStatus
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\Deep Security Agent
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\WL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Amsp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ds_agent
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ds_notifier
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tbimdsa
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmactmon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmcomm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmevtmgr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Deep Security Agent
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Deep Security Relay
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System\tbimdsa\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\C4AF20E48325C454BBBE163E418FCEA9\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\C4AF20E48325C454BBBE163E418FCEA9\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\689D08D76B5A47A4FB59D97D2C4B9308\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\689D08D76B5A47A4FB59D97D2C4B9308\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4E02FA4C-5238-454C-BBEB-61E314F8EC9A}\ - Restart the server
- Check if any of these files or folders are present and delete them if found:
C:\WINDOWS\System32\Drivers\tbimdsa.sys
C:\WINDOWS\System32\Drivers\tmactmon.sys
C:\WINDOWS\System32\Drivers\tmcomm.sys
C:\WINDOWS\System32\Drivers\tmevtmgr.sys
C:\WINDOWS\System32\LogFiles\ds_agent\
C:\Program Files\Trend Micro\AMSP\
C:\Program Files\Trend Micro\Deep Security Agent\Agent
C:\Program Files\Trend Micro\Deep Relay of Security Settings\Local (Relay)
C:\Program Files\Trend Micro\Deep Notifier of Security Settings\Local (Notifier)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Trend Micro\Deep Security\Trend Micro Deep Security Notifier (for Windows 2008)
C:\Documents and Settings\All Users\Start menu\programs\Trend Micro\ Deep Security\Trend Micro Deep Security Notifier (for Windows 2003)
C:\Windows\Installer\{4E02FA4C-5238-454C-BBEB-61E314F8EC9A}/Agent 64-bit - Reviewing the file C:\Windows\inf\setupapi.dev.log.
Look for entries containing tmcomm.sys, tmevtmgr.sys and tmactmon.sys On this entries you will be able to identify if there are any remains of a previous installation, look for lines like “Installing catalog (any of the three drivers above).cat as:” note the dates of the installation and the oemXX.inf files used to install these drivers. - Uninstall the existing tmcomm.sys, tmevtmgr.sys and tmactmon.sys using pnputil -d oemfile.inf (on this particular computer oem26.inf, oem27.inf and oem28.inf)
Identify which oemXX.inf files you need to uninstall by reviewing the setupapi.dev.log - Delete any catalog files for AMSP drivers present in C:\Windows\system32\catroot
(on this particular computer oem9.cat, oem10.cat and oem11.cat) that are leftovers from previous installations and that tbclean and pnputil did not remove - Delete old driver files present in windows driver store
C:\Windows\system32\DriverStore\FileRepository\tmxxxx (folders)
N.B. You might need to take ownership of those folders - Install all the comodo certificates following the KB: http://esupport.trendmicro.com/solution/en-US/1104241.aspx
Remember to place them in the appropriate store. - Reinstall the DSA using the freshly downloaded installation package. [Trend Micro Software Download Center]
- Restart the server
- Verify that the drivers are present in the device manager (using view non P&P devices), you should see the following drivers tmcomm.sys, tmevtmgr.sys and tmactmon.sys
- Deactivate the agent on the DSM (to remove the old association)
- Activate the agent from the DSM.
If you prefer using the agent initiated activation use this command: “dsa_control /a dsm://<host or IP>:<port>/” (default port 4120)
Hope this will help