To move beyond the vague “offline” message, the following steps must be performed on the affected workload:
The most definitive way to diagnose the failure is to review the agent logs on the endpoint.
Verify that the operating system and specific kernel version are supported by the installed version of Deep Security.
Check the following:
Secure Boot prevents unsigned drivers from loading.
If you need step-by-step CLI commands for a specific Windows Server or Linux offline deployment, let me know the OS version and I can provide exact instructions.
Troubleshooting Trend Micro Deep Security: Fixing the "Anti-Malware Driver Offline/Not Installed" Error
If you are managing servers with Trend Micro Deep Security, seeing the status "Anti-Malware Driver Offline / Not Installed" can be frustrating. This error indicates that the Deep Security Agent (DSA) cannot communicate with or initialize the core anti-malware drivers, leaving your workload vulnerable. Why is the Driver Showing as Offline?
Commonly, this issue occurs on Windows machines when the installation is corrupted or a critical service fails to start. Key reasons include:
Missing Root Certificates: The Windows OS may lack the necessary CA certificates to verify the driver’s digital signature, preventing installation.
Secure Boot Issues: On Linux or newer Windows servers, if Secure Boot is enabled and the Trend Micro public key isn't enrolled, the driver will be blocked. To move beyond the vague “offline” message, the
Software Conflicts: Other antivirus products like OfficeScan, Apex One, or ServerProtect can prevent the DSA driver from loading.
Comodo Certificate Issues: A specific known conflict with Comodo certificates can trigger this "offline" status. Step-by-Step Troubleshooting Guide 1. Initial Verification
Before performing a full reinstall, check if the necessary services are running:
Trend Micro Deep Security Agent and Trend Micro Solution Platform services should be "Running".
Run the following commands in an elevated command prompt to check driver status: sc query AMSP sc query tmcomm sc query tmactmon sc query tmevtmgr
If any of these are stopped, try restarting the Trend Micro Deep Security Agent service. 2. Resolving Secure Boot Conflicts
If you have Secure Boot enabled, you must enroll the Trend Micro public key. Alternatively, you can temporarily disable Secure Boot to confirm if it is the cause of the offline status. 3. Fixing Certificate & Signature Issues
If the server is not regularly updated, it may fail to verify the driver's signature:
Apply the latest Microsoft Windows Updates to ensure root certificates are current.
If a Comodo certificate is causing the issue, you may need to manually delete specific driver files like tbimdsa.sys and tmcomm.sys before reinstalling. 4. The Clean Reinstallation (Recommended Fix) Verify that the operating system and specific kernel
Most "corrupted installation" cases are best solved by a clean wipe and fresh install:
Anti-Malware: Driver offline / Not installed - Deep Security
The "Anti-Malware Driver Offline" or "Not Installed" error in Trend Micro Deep Security indicates that the Deep Security Manager (DSM) cannot communicate with the agent's underlying anti-malware components. This typically stems from certificate issues, installation corruption, or service failures. Common Root Causes
Missing CA Certificates: The Windows OS may lack the root certificates (e.g., VeriSign, DigiCert, Comodo) required to verify the driver's digital signature, preventing it from loading.
Installation Corruption: A failed or partial installation of the Deep Security Agent (DSA) can leave anti-malware drivers in a broken state.
Third-Party Conflicts: Existing antivirus software (like OfficeScan or Apex One) can conflict with the DSA anti-malware driver installation.
Power Management: For agentless protection, if a virtual machine enters standby or hibernation, communication with the vShield driver may be lost.
Secure Boot: On newer systems, if Secure Boot is enabled but the Trend Micro key is not enrolled, the driver will be blocked from loading. Troubleshooting and Resolution Steps 1. Verify Core Services and Drivers
Ensure the required services are running on the Windows endpoint:
Services: Use services.msc to confirm that the Trend Micro Deep Security Agent and Trend Micro Solution Platform (AMSP) services are "Running". If you need step-by-step CLI commands for a
Driver Status: Run the following commands in an Administrative Command Prompt to check driver health: sc query AMSP sc query tmcomm sc query tmactmon sc query tmevtmgr
If any are stopped, attempt to restart the Trend Micro services. 2. Resolve Certificate Issues
If signature verification fails (often signaled by Event ID 9017), you may need to manually update root certificates:
"Anti-Malware Driver Offline" "Not Installed" in Trend Micro Deep Security indicates that while the Deep Security Agent (DSA) may be running, its specific protection module for malware cannot communicate with the core operating system. www.trendmicro.com Common Root Causes Missing CA Certificates
: On Windows, the OS may lack the root certificates (like SHA-2) required to verify the digital signature of the Anti-Malware driver, preventing it from loading. Third-Party Conflicts
: Other antivirus software (e.g., OfficeScan, Apex One, or Comodo) can block the installation or operation of the Deep Security drivers. Installation Corruption
: The agent installation may be broken, often requiring a manual cleanup of specific driver files. Secure Boot (Linux/Windows)
: Secure Boot may be enabled without the proper Trend Micro public keys enrolled, causing the system to reject the driver. Virtual Machine Standby
: In agentless setups, if a VM enters a standby or sleep state, communication with the vShield driver is lost, triggering the offline status. TrendMicro Recommended Troubleshooting Steps
Anti-Malware: Driver offline / Not installed - Deep Security 8 May 2025 —