Windows Firewall settings changed after installing Deep Security Agent (DSA)

Solution ID Last Updated
1055458 Nov. 07, 2014 12:05 AM (PST)

Product / Version Platform
Deep Security - 6.0, 7.0, 7.5, 8.0, 9.0, 9.5;
Windows - 2003 Compute Cluster Server, 2003 Datacenter Server, 2003 Datacenter Server Edition 64-bit, 2003 Enterprise Server, 2003 Home Server, 2003 Small Business Server, 2003 Standard Server Edition, 2003 Standard Server Edition 64-bit, 2003 Standard Server Edition 64-bit, 2003 Storage Server, 2003 Web Server Edition

Problem Description

Learn how you can prevent the Deep Security Agent (DSA) from changing the Windows Firewall settings.
By default, DSA installation will disable Windows Firewall. However, if Windows Firewall is enabled via GPO, then Deep Security will not be able to turn off Windows Firewall.
In some cases, Deep Security may not turn off Windows Firewall, but will modify its port and process exclusions and cause legitimate applications to be blocked by Windows Firewall.


To resolve this issue:
  1. Download the DSA MSI package transform file for your Deep Security version. This will prevent the Deep Security Agent from trying to change the Windows Firewall settings.
  2. Use the following command to install the MSI package:
    msiexec /i <path to Agent.msi> TRANSFORMS=<path to Leave_Firewall.mst>  /L*v c:\dsa_install.log
    Note: In some environments running Deep Security 9.0, the TRANSFORMSSECURE setting may need to be used along with the MST file. The command would then be:
    msiexec /i <path to Agent.msi> TRANSFORMS=<path to Leave_Firewall.mst> TRANSFORMSSECURE=0 /L*v c:\dsa_install.log
    Setting the TRANSFORMSSECURE property to "0" informs the installer that transforms are not to be cached locally on the user's computer in a location where the user does not have write access.
If the above steps did not resolve the issue, send the following information to Trend Micro Technical Support:
  • MSI install log file that will be created (C:\dsa_install.log)
  • Screenshot of the firewall "show state" command before and after the DSA installation:
    C:\ netsh
    netsh> firewall
    netsh firewall> show state

Rate this Solution
Did this article help you?

Please provide your comments to help us improve this solution.

  *This form is an automated system. General questions, technical, sales and product-related issues submitted through this form will not be answered.

Connect with us on