Trend Micro Deep Security Anti-malware Driver Offline Not Installed May 2026

The status "Anti-Malware: Driver offline / Not installed" indicates that the Deep Security Agent (DSA) cannot communicate with or find the required anti-malware kernel drivers on the host system

. This critical error prevents the anti-malware module from functioning, leaving the machine unprotected. TrendMicro Core Causes Corrupted Installation:

Remnants from previous installations or failed updates can block new drivers from loading. Secure Boot Conflicts: On Linux and modern Windows systems, having Secure Boot

enabled without the Trend Micro public key enrolled will block the driver from loading. Missing Certificates:

The Windows OS may lack the necessary CA certificates (like VeriSign or DigiCert) required to verify the driver’s digital signature. Software Conflicts:

Other antivirus products (e.g., OfficeScan, Apex One, or third-party AVs) can conflict with the Deep Security driver installation. Kernel Incompatibility (Linux):

The current Linux kernel version may not be supported by the installed agent, requiring a new Kernel Support Package (KSP). TrendMicro Troubleshooting & Fixes 1. Verify Services and Drivers (Windows)

Run the following commands in an administrative Command Prompt to check if core drivers are active: www.trendmicro.com sc query AMSP sc query tmcomm sc query tmactmon sc query tmevtmgr

Note: If any are not running, restart the "Trend Micro Deep Security Agent" and "Trend Micro Solution Platform" services. www.trendmicro.com 2. Manage Secure Boot If Secure Boot is enabled, you must either enroll the Trend Micro public key

or temporarily disable Secure Boot to confirm it is the cause of the offline status. www.trendmicro.com 3. Clean Reinstallation

A standard uninstall often leaves files behind. For a complete fix: Uninstall Deep Security 12-Sept-2022 — The status "Anti-Malware: Driver offline / Not installed"

The "Anti-Malware driver offline/not installed" status in Trend Micro Deep Security typically indicates a corrupted installation, missing system certificates, or driver conflicts. Immediate Troubleshooting Steps

Check Services: Ensure that the Trend Micro Deep Security Agent and Trend Micro Solution Platform (AMSP) services are running on the endpoint.

Verify Drivers: Open a command prompt as an administrator and run sc query AMSP (and tmcomm, tmactmon, tmevtmgr for versions 12.5 or older) to see if they are active.

Update Certificates: If the server lacks the latest Root Certificates (DigiCert, VeriSign), it may fail to verify the driver's digital signature, preventing installation. Run Windows Updates or manually patch certificates.

Check Conflicts: Ensure no other antivirus products (like OfficeScan or Apex One) are running, as they can block driver installation. How to Resolve the Issue

If simple service restarts don't work, a full reinstallation is often the most effective fix:

Deactivate the Agent: From the Deep Security Manager (DSM), right-click the computer and select Actions > Deactivate. Uninstall and Clean: Uninstall the Deep Security Agent via Control Panel.

If files remain, manually delete them from C:\Program Files\Trend Micro\Deep Security Agent\ and C:\Program Files\Trend Micro\AMSP\.

Check Device Manager for any leftover non-plug-and-play drivers (like tmactmon or tmcomm) and uninstall them if present.

Reboot: This is critical to clear any drivers still held in memory. but the driver is either missing

Reinstall and Reactivate: Install the latest MSI package (do not use the .zip) and reactivate it from the DSM. Virtual Environments (vSphere)

If you are using agentless protection on a VM, ensure the following:

VMware Tools: The "Endpoint Drivers" or "vShield Endpoint" must be installed using the Complete or Custom installation option.

Power States: VMs in standby or hibernate mode may lose communication with the security appliance, triggering this status. AI responses may include mistakes. Learn more

Error: Anti-Malware Engine Offline - Deep Security Help Center

The "Anti-Malware Driver Offline" or "Not Installed" error in Trend Micro Deep Security typically indicates a corruption in the agent installation or a failure in the underlying security services. Common Causes

Corrupted Installation: The agent software did not install properly or critical files have been damaged.

Missing Certificates: The system lacks required root certificates (e.g., VeriSign or DigiCert) needed to verify the driver’s digital signature.

Secure Boot Issues: On Linux, Secure Boot may be enabled without the necessary Trend Micro public key enrolled.

Software Conflicts: Co-existence with other antivirus products like OfficeScan or Apex One can block the driver from loading. Recommended Troubleshooting Steps "Anti-Malware Driver Offline – Not Installed"

Warning: Anti-Malware Engine has only Basic Functions | Deep Security

Prevention & Best Practices

1. Automated Dependency Management: Use configuration management tools (like Ansible or Puppet) to ensure kernel-devel and gcc are installed immediately after OS provisioning.
2. Driver Updates: When upgrading the OS kernel, ensure you update the Deep Security Agent or import the new driver packages into DSM before rebooting the server.
3. Secure Boot Planning: If Secure Boot must remain enabled, ensure you are using a Deep Security Agent version that supports signed drivers or prepare a signing infrastructure for your Linux modules.

5. DSVA (Deep Security Virtual Appliance) Network Segmentation

For agentless deployments, the DSVA must have network access to the ESXi host’s management IP and the VM’s storage (via vMotion network). If firewalls block ports (e.g., TCP 443, 4120), the driver status appears offline.

2. Windows Update Conflicts (Kernel Patch Tuesday)

After a Microsoft Patch Tuesday, a Windows kernel update may change the filter manager structure. If the Trend Micro driver (tmebc.sys, tmcomm.sys) was compiled for an older kernel version, it will fail to load. The agent shows as "online," but the anti-malware driver remains offline.

Step 4: Reinstall the Deep Security Agent (Offline Method)

If the driver is corrupt and you are in an offline or air-gapped environment (no internet), use the offline installer:

1. Download the appropriate agent package from Trend Micro’s download center (requires valid license).
2. Copy the installer (e.g., Agent-RedHat_8-10.2.0-7950.x86_64.rpm or Agent-Windows-10.2.0.exe) to the VM via USB, ISO, or management share.
3. Uninstall the existing agent (back up the configuration first).
4. Reboot the VM.
5. Install the new agent using offline parameters:
   • Windows: Agent-Windows.exe /quiet /norestart (then reboot).
   • Linux: rpm -ivh Agent-RedHat*.rpm or dpkg -i Agent-Debian*.deb
6. Reconnect to DSM by importing the agent certificate (usually found in C:\ProgramData\Trend Micro\Deep Security Agent\dsa.crt).

Resolved: “Trend Micro Deep Security Anti-Malware Driver Offline Not Installed” – Causes and Fixes

Introduction: A Critical Alert for Virtualized Environments

For system administrators managing hybrid data centers or large-scale virtualized environments (VMware, Hyper-V, or AWS), Trend Micro Deep Security is a cornerstone of workload protection. Its "Agentless Anti-Malware" feature is particularly prized because it offloads scanning responsibilities to the hypervisor, saving memory and CPU cycles on individual virtual machines (VMs).

However, a common and frustrating error message can appear in the Deep Security Manager (DSM) console or event logs:

"Anti-Malware Driver Offline – Not Installed"

This alert typically appears with an orange or yellow warning triangle on the "Overview" or "Computer" tab. What makes this issue particularly perplexing is that it often happens offline—meaning the VM is powered on and appears functional, but the driver is either missing, corrupt, or disabled.

If you are seeing this status, your VMs are not protected against malware. This article explains exactly why this happens and provides a step-by-step guide to resolve it.

Step-by-Step Fixes