Thursday, February 14, 2013

How to Remove Trend Micro Deep Security Agent 8.x


I had a Trend Micro Deep Security Manager server fail and leave dozens of machines running the Trend Deep Security Agent and no way to control them. If you are here, you may know what I mean and what a problem this is.
  
They were in a state where they were unable to activate on a new server (“Activation Failed - Deactivation Required” or “Unmanaged - Deactivation Required”). The Deep Security Agent was unable to be uninstalled or changed through normal means (“Removal or modification of the application is prohibited by its security settings”). Attempts to reset the Deep Security Agent through the command line per the Trend manual failed (“Forbidden”), The Trend Services were unavailable to stop and access was denied to set them to “Disabled” on start up. The Trend support supplied utility TBCLEAN.EXE also failed.

In short, there was nothing on the Trend site about how to remove an orphaned Agent and Trend support was not particularly fast at coming up with a solution. Here is what I did and is has worked on all Windows operating systems I have in my organization, Windows XP, Windows 7 32 and 64, Windows 2003 R2, and Windows 2008 R2. I would suggest you use it only as a last resort and be very careful, but suit yourself. I’m not your mom and if you screw things up it is entirely your problem:


  1. Make sure you have the local administrator password for the machine you are working on. Failure to do so may result in a machine that is stuck in Safe Mode that you cannot log in to. I cannot stress this enough.
  
  1. Run the MSCONFIG utility and set the affected machine for a Diagnostic Startup and a Safe Boot or Safe Mode, depending on your OS and reboot.

  1. Log into the machine as local admin and open a command window.

  1. Run the following commands:

    1. sc delete ds_agent
    2. sc delete ds_notifier
    3. sc delete amsp
    4. sc delete tmactmon
    5. sc delete tmevtmgr
    6. sc delete tmcomm

  1. Delete the folder C:\Program Files\Trend Micro and all subdirectories
  
  1. Run REGEDIT and delete the key HKLM\Sofware\Trend Micro and all subkeys
  
  1. Run MSCONFIG again and set the machine to boot normally.
  
  1. Reboot the machine and uninstall the Trend Micro Agent through Add Remove Programs or Programs and Features, depending on OS

Now you should be able to reinstall Trend and activate it on the new Trend Deep Security Manager server. I hope this saves you some time and energy.


Donate: 1JVArfYKssNLEBR3WQv1fNfvNrWiQmq5JU

2 comments:

  1. Great atricle - worked a treat! Many thanks.

    ReplyDelete
  2. I actually had to do the sethc.exe hack were you get a command prompt as SYSTEM as SYSTEM had control over some of the services and I couldn't get control back (take control of sethc.exe, give yourself full control, rename it, copy cmd.exe and rename it to sethc.exe; then reboot and hit the shift key 6x at the logon screen). Then I could run tbclean a little more successfully and the commands you recommended. Yes, even with that I had to remove some things manually. And unfortunately, the service that was baked sometimes varied between machines. At least the new version of Trend would full install afterwards!

    ReplyDelete