Trend Micro Deep Security Anti-malware Driver Offline Not Installed -

This message typically appears in Trend Micro Deep Security (now often branded as Trend Micro Vision One for workload security) when the anti-malware component cannot function because its core kernel driver is either:

The driver in question is responsible for real-time scanning, on-access protection, and malware prevention on the protected machine (workload — physical, virtual, or cloud).

The "Trend Micro Deep Security Anti-Malware Driver Offline Not Installed" error is more than a nuisance—it’s a security gap. In this state, your workloads are running blind, unable to detect file-based malware, ransomware, or webshells.

The good news is that the fix is almost always within your control. Whether it’s a simple reboot after VMware Tools update, a registry tweak, or an offline agent reinstall, the steps outlined above will restore your protection. Always test in a non-production VM first, and remember: in agentless deployments, check the hypervisor first; in agent-based deployments, check the kernel driver second.

Final checklist:

Secure your data center from the hypervisor down. With the anti-malware driver online, Deep Security can finally do its job.

This article is intended for IT professionals managing Trend Micro Deep Security version 10.x, 12.x, or 20.x. Always refer to Trend Micro’s official documentation for version-specific commands.

The "Anti-Malware Driver Offline/Not Installed" status in Trend Micro Deep Security indicates the agent is unable to communicate with its local anti-malware module or the driver itself is missing/failed TrendMicro Common Causes Installation Corruption

: The initial installation was incomplete or files became corrupted. Certificate Issues

: Missing root certificates on Windows prevent digital signature verification for the driver. A specific conflict with Comodo certificates is also a known trigger. Security Conflicts

: Existing third-party antivirus software or older Trend Micro products (like OfficeScan) can block driver installation. Environment Features

: Secure Boot being enabled without the proper public key enrolled can block the driver from loading. VM Sleep States

: If a virtual machine enters standby or sleep mode, communication with the driver may be lost. TrendMicro Troubleshooting and Solutions 1. Basic Service and Status Checks Restart Services This message typically appears in Trend Micro Deep

: Attempt to restart the Trend Micro Deep Security Agent service first. For Linux, use sudo /etc/init.d/ds_agent restart Check Policies

: In the Deep Security Manager, verify that the Anti-Malware policy is actually turned for that specific computer. www.trendmicro.com

Anti-Malware: Driver offline / Not installed - Deep Security

When the Trend Micro Deep Security Notifier displays "Driver offline / Not installed," it typically signals a corrupted installation or a critical driver failing to load on the endpoint. This error prevents the Anti-Malware module from protecting the system, even if the main Deep Security Agent (DSA) appears active in the management console. Immediate Troubleshooting Steps

Before performing a full reinstallation, try these quick fixes:

Restart Services: Open the Windows Services console and ensure the Trend Micro Deep Security Agent and Trend Micro Solution Platform (AMSP) services are running.

Check Driver Status: Open a command prompt as an administrator and run sc query AMSP, sc query tmcomm, sc query tmactmon, and sc query tmevtmgr. If any are stopped, attempt to start them manually.

Verify Installation File: Ensure you used the .msi installer rather than extracting files from a .zip package, as the latter can lead to incomplete driver registration. Root Causes and Solutions 1. Corrupted Installation

A failed update or partial uninstall often leaves behind registry keys that block new drivers from installing.

Solution: Perform a manual uninstallation. Go to Device Manager, enable "Show hidden devices," and under Non-Plug and Play Drivers, uninstall tmactmon, tmcomm, and tmevtmgr. Reboot the machine before attempting a fresh installation of the latest agent version. 2. Certificate and Digital Signature Issues

Outdated root certificates on Windows servers can prevent the system from verifying the digital signatures of Trend Micro drivers.

Solution: Ensure the server has the latest Microsoft root certificate updates. In some cases, conflicting third-party certificates (like Comodo) must be cleared and reinstalled to allow the Trend Micro drivers to initialize properly. 3. Secure Boot and Kernel Compatibility (Linux) The driver in question is responsible for real-time

On Linux systems, the Anti-Malware driver (VFS_Filter) may fail if the kernel is unsupported or if Secure Boot is blocking the module.

Solution: Check your kernel version against the Trend Micro Support Matrix. If Secure Boot is enabled, you must enroll the Trend Micro public key to allow the driver to load. 4. Agentless Protection (VMware Environments)

Anti-Malware: Driver offline / Not installed - Deep Security

Seeing the error "Anti-Malware Driver offline/Not installed" in Trend Micro Deep Security usually means the agent’s core protection module has failed to initialize or has been blocked. This status leaves your server vulnerable as the agent cannot monitor or block malicious activity. Why Is This Happening?

Corrupted Installation: The most common cause is a failed or incomplete installation of the Deep Security Agent (DSA) .

Missing Root Certificates: On Windows, the OS may lack the necessary CA certificates to verify the driver's digital signature, preventing it from loading.

Security Software Conflicts: Existing antivirus programs like Trend Micro OfficeScan or third-party AVs can block the DSA driver installation.

Secure Boot Issues: For Linux systems, Secure Boot may be enabled without the proper public key enrolled for the Trend Micro driver. How to Fix It (Step-by-Step) 1. The "Clean Slate" Method (Recommended)

Since corrupted files often cause this, a clean reinstall is usually the fastest fix. Deactivate the agent in the Deep Security Manager (DSM) .

Uninstall the Deep Security Agent from the affected machine.

Manual Cleanup: Open a Command Prompt as Admin and ensure these driver services are fully removed: sc delete tmactmon sc delete tmcomm sc delete tmevtmgr Reboot the server to clear remaining hooks. Reinstall the agent and reactivate it from the Manager. 2. Verify OS Environment

If a reinstall fails, the underlying OS might be blocking the driver: Secure your data center from the hypervisor down

Windows Updates: Ensure the server has the latest Microsoft root certificate updates so it can trust Trend Micro’s signed drivers.

Conflict Check: Remove any old OfficeScan/Apex One clients or third-party AV agents before installing Deep Security.

Secure Boot (Linux): If using Linux, either disable Secure Boot or enroll the Trend Micro public key. 3. Agentless Protection (VMware/NSX)

If you are seeing this error in a virtual environment using agentless protection:

Verify that Guest Introspection is installed and running in your vSphere/NSX environment .

Check that the VMware Tools are up to date and compatible with your Deep Security version.

For deeper troubleshooting, you can generate a Diagnostic Package from the Agent to send to Trend Micro Support .

Anti-Malware: Driver offline / Not installed - Deep Security

If on a test machine, reboot and press F8 → Disable Driver Signature Enforcement. If the driver loads, you need to sign it properly or update Deep Security Agent.

The most definitive way to diagnose the failure is to review the agent logs on the endpoint.

For the agent to build the driver locally, specific packages must be installed.