If the logs indicate a build failure due to missing headers, install the required packages and restart the agent.
The "Anti-Malware Driver Offline" or "Not Installed" error in Trend Micro Deep Security typically indicates a corruption in the agent installation or a failure in the underlying security services. Common Causes
Corrupted Installation: The agent software did not install properly or critical files have been damaged.
Missing Certificates: The system lacks required root certificates (e.g., VeriSign or DigiCert) needed to verify the driver’s digital signature.
Secure Boot Issues: On Linux, Secure Boot may be enabled without the necessary Trend Micro public key enrolled.
Software Conflicts: Co-existence with other antivirus products like OfficeScan or Apex One can block the driver from loading. Recommended Troubleshooting Steps
Warning: Anti-Malware Engine has only Basic Functions | Deep Security
If the endpoint cannot compile its own driver (e.g., lack of compiler tools), you can download pre-compiled drivers from Trend Micro.
| Cause | Description |
|-------|-------------|
| Incomplete installation | The anti-malware feature was selected, but the driver failed to install during setup. |
| Driver blocked by security software | Another antivirus or EDR solution is running and prevents Trend Micro's driver from loading. |
| Windows Driver Signature Enforcement | The driver might be unsigned or blocked by Secure Boot / Driver Signature Enforcement. |
| Corrupted driver files | The driver files (tmcomm.sys, tmactmon.sys, tmevtmgr.sys, etc.) are missing or damaged. |
| Deep Security Agent offline | The agent reports the driver as offline because the service is not running. |
| After OS upgrade | Windows feature updates can unload or block incompatible drivers. |
The "Trend Micro Deep Security Anti-Malware Driver Offline Not Installed" error is more than a nuisance—it’s a security gap. In this state, your workloads are running blind, unable to detect file-based malware, ransomware, or webshells.
The good news is that the fix is almost always within your control. Whether it’s a simple reboot after VMware Tools update, a registry tweak, or an offline agent reinstall, the steps outlined above will restore your protection. Always test in a non-production VM first, and remember: in agentless deployments, check the hypervisor first; in agent-based deployments, check the kernel driver second.
Final checklist:
Secure your data center from the hypervisor down. With the anti-malware driver online, Deep Security can finally do its job.
This article is intended for IT professionals managing Trend Micro Deep Security version 10.x, 12.x, or 20.x. Always refer to Trend Micro’s official documentation for version-specific commands.
When the Trend Micro Deep Security Notifier displays "Driver offline / Not installed," it typically signals a corrupted installation or a critical driver failing to load on the endpoint. This error prevents the Anti-Malware module from protecting the system, even if the main Deep Security Agent (DSA) appears active in the management console. Immediate Troubleshooting Steps
Before performing a full reinstallation, try these quick fixes:
Restart Services: Open the Windows Services console and ensure the Trend Micro Deep Security Agent and Trend Micro Solution Platform (AMSP) services are running.
Check Driver Status: Open a command prompt as an administrator and run sc query AMSP, sc query tmcomm, sc query tmactmon, and sc query tmevtmgr. If any are stopped, attempt to start them manually.
Verify Installation File: Ensure you used the .msi installer rather than extracting files from a .zip package, as the latter can lead to incomplete driver registration. Root Causes and Solutions 1. Corrupted Installation
A failed update or partial uninstall often leaves behind registry keys that block new drivers from installing.
Solution: Perform a manual uninstallation. Go to Device Manager, enable "Show hidden devices," and under Non-Plug and Play Drivers, uninstall tmactmon, tmcomm, and tmevtmgr. Reboot the machine before attempting a fresh installation of the latest agent version. 2. Certificate and Digital Signature Issues
Outdated root certificates on Windows servers can prevent the system from verifying the digital signatures of Trend Micro drivers. If the logs indicate a build failure due
Solution: Ensure the server has the latest Microsoft root certificate updates. In some cases, conflicting third-party certificates (like Comodo) must be cleared and reinstalled to allow the Trend Micro drivers to initialize properly. 3. Secure Boot and Kernel Compatibility (Linux)
On Linux systems, the Anti-Malware driver (VFS_Filter) may fail if the kernel is unsupported or if Secure Boot is blocking the module.
Solution: Check your kernel version against the Trend Micro Support Matrix. If Secure Boot is enabled, you must enroll the Trend Micro public key to allow the driver to load. 4. Agentless Protection (VMware Environments)
Anti-Malware: Driver offline / Not installed - Deep Security
The error "Trend Micro Deep Security Anti-Malware Driver Offline Not Installed" typically occurs when the Deep Security Agent (DSA) experiences a corrupted installation, lacks essential operating system certificates, or faces conflicts with other security software. This status is often visible in the Deep Security Manager (DSM) console or through the Deep Security Notifier on the local machine. Common Causes for the Error
Understanding the root cause is critical for choosing the right fix:
Corrupted Installation: A failed or partial installation may prevent the anti-malware services from starting correctly.
Missing Root Certificates: On Windows servers, the absence of updated CA certificates (like VeriSign or DigiCert) may prevent the OS from verifying the driver's digital signature, causing it to block the installation.
Software Conflicts: Pre-existing antivirus solutions (e.g., OfficeScan, Apex One) can conflict with the Deep Security driver.
Virtualization Issues: For agentless protection, missing vShield/Guest Introspection drivers or power management settings (sleep/hibernation) can trigger an offline status. Step-by-Step Troubleshooting Solutions 1. Reinstall the Deep Security Agent
Most cases are resolved by a clean uninstallation followed by a fresh install.
Manual Uninstall: If the standard uninstaller fails, manually remove the agent.
Clean Up Drivers: Use the Command Prompt to stop and delete leftover driver services: sc stop tmactmon / sc delete tmactmon sc stop tmcomm / sc delete tmcomm sc stop tmevtmgr / sc delete tmevtmgr
Reboot: A system restart is required to clear active drivers from memory.
Reinstall: Run the latest agent installer and Reactivate the agent from the Deep Security Manager. 2. Verify Digital Certificates (Windows)
If the driver fails to install repeatedly, the OS may not trust the Trend Micro signature. Ensure the server has the latest Microsoft updates.
Check for the presence of the necessary root certificates (DigiCert, USERTrust).
Refer to the Trend Micro Success Portal for specific certificate update steps. 3. Manual Filter Driver Installation
If the engine remains offline after reinstallation, you may need to manually point the OS to the filter driver. Navigate to the network adapter properties.
Install the driver located at: C:\Program Files\Trend Micro\Deep Security Agent\infsys\WinxpRelease.
Verify the driver is loaded by running sc query vsepflt in an admin command prompt. 4. Troubleshooting Agentless (VMware) Environments If the endpoint cannot compile its own driver (e
If you are using agentless protection via the Deep Security Virtual Appliance (DSVA):
Check VMware Tools: Ensure the "Guest Introspection" driver (vsepflt) is selected during the VMware Tools installation.
Test Connection: In the DSM, go to Computers, right-click your vCenter, and select Properties > Test Connection.
Power Settings: Disable sleep or hibernation on the protected VM, as these states can break the connection to the security appliance. 5. Linux-Specific Fixes For Linux systems showing an "Engine Offline" error:
Restart the service using: sudo /etc/init.d/ds_agent restart.
Check if the current kernel is supported by viewing the Deep Security Compatibility Matrix. Activate the agent - Deep Security Help Center
This guide addresses the "Anti-Malware Driver Offline / Not Installed" status in Trend Micro Deep Security, a common hurdle that leaves endpoints vulnerable.
Troubleshooting "Anti-Malware Driver Offline" in Trend Micro Deep Security
Seeing the "Anti-Malware Driver Offline" or "Not Installed" alert in your Deep Security Manager (DSM) console typically means the agent cannot verify the working status of the Anti-Malware module. Whether you are using agent-based or agentless protection, here is how to resolve the issue. 1. Identify the Root Cause Before diving into fixes, check for these common culprits:
Missing Root Certificates: On Windows, if Microsoft root certificate updates are missing, the OS cannot verify the driver’s digital signature, preventing installation.
Software Conflicts: Pre-existing antivirus software like Trend Micro OfficeScan, Apex One, or third-party products often block the Deep Security driver.
Corrupted Installation: A failed or partial installation process can leave drivers in a "limbo" state.
Secure Boot: On Linux, Secure Boot might be enabled without a public key enrolled, blocking the driver. 2. Verify Services and Drivers
Ensure the necessary services are active on the affected machine. Open a command prompt as an administrator and run:
# Check primary services sc query "Trend Micro Deep Security Agent" sc query "Trend Micro Solution Platform" (AMSP) # Check specific drivers (version 12.5 or earlier) sc query tmcomm sc query tmactmon sc query tmevtmgr Use code with caution. Copied to clipboard
If these show as stopped, attempt to restart the Trend Micro Deep Security Agent service. 3. Step-by-Step Resolution (Agent-Based) If basic service restarts fail, follow this sequence:
Update Certificates: Ensure the machine has the latest required root certificates (e.g., DigiCert, VeriSign, USERTrust). This is often the primary fix for Windows machines. Remove Conflicts: Uninstall any other antivirus products.
Manual Reinstall: A standard uninstall often isn't enough if drivers are stuck. Manually uninstall the agent and reboot.
Verify stuck drivers are removed by checking Device Manager > Non-Plug and Play Drivers.
Reinstall using a freshly downloaded .msi package—never use a .zip for installation. 4. Special Considerations for Agentless Protection
For virtual machines protected via a Deep Security Virtual Appliance (DSVA): Secure your data center from the hypervisor down
VMware Tools: Ensure VMware Tools is installed with the Guest Introspection (vShield) driver selected.
Sleep Mode: If a VM enters a standby or hibernate state, it may lose communication with the vShield driver, triggering the "offline" status.
vMotion Issues: Temporary offline status can occur during Storage vMotion if the VM's UUID changes.
For more detailed walkthroughs, refer to the Deep Security Help Center or the official Trend Micro Success Portal.
Error: Anti-Malware Engine Offline - Deep Security Help Center
Troubleshooting Trend Micro Deep Security: Fixing the "Anti-Malware Driver Offline/Not Installed" Error
If you are managing servers with Trend Micro Deep Security, seeing the status "Anti-Malware Driver Offline / Not Installed" can be frustrating. This error indicates that the Deep Security Agent (DSA) cannot communicate with or initialize the core anti-malware drivers, leaving your workload vulnerable. Why is the Driver Showing as Offline?
Commonly, this issue occurs on Windows machines when the installation is corrupted or a critical service fails to start. Key reasons include:
Missing Root Certificates: The Windows OS may lack the necessary CA certificates to verify the driver’s digital signature, preventing installation.
Secure Boot Issues: On Linux or newer Windows servers, if Secure Boot is enabled and the Trend Micro public key isn't enrolled, the driver will be blocked.
Software Conflicts: Other antivirus products like OfficeScan, Apex One, or ServerProtect can prevent the DSA driver from loading.
Comodo Certificate Issues: A specific known conflict with Comodo certificates can trigger this "offline" status. Step-by-Step Troubleshooting Guide 1. Initial Verification
Before performing a full reinstall, check if the necessary services are running:
Trend Micro Deep Security Agent and Trend Micro Solution Platform services should be "Running".
Run the following commands in an elevated command prompt to check driver status: sc query AMSP sc query tmcomm sc query tmactmon sc query tmevtmgr
If any of these are stopped, try restarting the Trend Micro Deep Security Agent service. 2. Resolving Secure Boot Conflicts
If you have Secure Boot enabled, you must enroll the Trend Micro public key. Alternatively, you can temporarily disable Secure Boot to confirm if it is the cause of the offline status. 3. Fixing Certificate & Signature Issues
If the server is not regularly updated, it may fail to verify the driver's signature:
Apply the latest Microsoft Windows Updates to ensure root certificates are current.
If a Comodo certificate is causing the issue, you may need to manually delete specific driver files like tbimdsa.sys and tmcomm.sys before reinstalling. 4. The Clean Reinstallation (Recommended Fix)
Most "corrupted installation" cases are best solved by a clean wipe and fresh install:
Anti-Malware: Driver offline / Not installed - Deep Security
Here’s a detailed technical analysis of the scenario where the Trend Micro Deep Security Anti-Malware driver is not installed in an offline environment.