Trend Micro’s Deep Security Agent for Linux contains a design flaw in its behavior-monitoring stack that allows a local, unprivileged attacker to repeatedly force short “blind spots” in which endpoint protections are temporarily bypassed.
The issue stems from how the agent unloads and reloads its bmhook and tmhook kernel modules under heavy local event load, creating a repeatable protection gap rather than a one‑off stability glitch.
Trend Micro Deep Security Agent Flaw
Independent research on Trend Micro Deep Security Agent (DSA) showed that an unprivileged process can generate a high‑volume “event storm” of benign filesystem and process activity, stressing the agent’s behavior-monitoring pipeline.
In tests, a C‑based proof‑of‑concept hammered file create/write/truncate/rename operations, symlink creation/removal, and fork/exit loops against a Linux host protected by DSA.
Rather than simply throttling telemetry, the agent’s ds_am.init component responded by invoking rmmod on the bmhook and tmhook kernel modules, fully unloading and subsequently reloading the syscall‑hooking and behavior‑monitoring stack.
The timing data collected from dmesg showed that tmhook, deployed as a Linux livepatch module, entered a full unpatch-repatch cycle, with a livepatch transition of roughly 20 seconds and an interval of about 1–2 seconds during which tmhook was absent from the kernel.
Importantly, bmhook – the behavior monitoring module that depends on tmhook – was observed disappearing before tmhook fully unloaded, meaning monitoring could be degraded even while the lower‑level hook substrate remained present.
To disambiguate between a kernel crash and an intentional recovery path, the researcher used bpftrace to monitor execve and module_free events related to rmmod.
The resulting traces showed ds_am.init spawning /usr/sbin/rmmod to unload bmhook and tmhook, with module_free confirming real module removal rather than a cosmetic state change.
Systemd configuration for ds_agent.Service showed Restart=no, and logs indicated that the agent, not systemd, drove the unload/reload logic, pointing to an internal “loop prevention” or recovery mechanism in the Trend Micro stack.
LKM DOWN, bmhook disappears first, tmhook later enters its livepatch reload cycle (Source: Matheuz Security)Static inspection of the unstripped kernel modules aligned with this runtime behavior: tmhook exposes generic syscall‑hook registration symbols and livepatch initialization paths, while bmhook implements the behavior pipeline, including queueing, throttling, and self‑protection routines with configuration strings such as enable_loop_prevention and bmhook_throttle_check.
Together, these findings support the conclusion that high‑rate local activity can push the behavior monitoring engine into a recovery path where ds_am.init deliberately removes and reinstates the hooks.
While the bug is not a remote code execution vulnerability and does not provide a persistent agent-kill switch, its impact is a local, temporary, repeatable protection bypass.
In a baseline state, Trend Micro Deep Security Agent blocked a known malicious test artifact and prevented it from persisting on disk, demonstrating expected detection and remediation behavior.
When the same download was executed during the bmhook/tmhook reload window, however, the artifact was successfully landed. It remained on disk, indicating that the enforcement decision changed while monitoring was offline or degraded.
From an attacker’s perspective, this window can be weaponized to stage malware or tooling that would normally be blocked, unpack second‑stage payloads, rename or chmod files before scanning catches up, or execute short‑lived helpers designed to operate entirely inside the blind spot.
Because the trigger is an unprivileged event storm and the reload cycles can be induced repeatedly, an adversary with an initial Linux foothold could synchronize malicious actions with these protection gaps.
Affected components and current status
The behavior has been observed in Ubuntu Linux environments running Trend Micro Deep Security Agent with the tmhook and bmhook kernel modules deployed as part of the Linux kernel support pack.
The research targets the Linux agent’s behavior-monitoring path, not the Deep Security Manager itself. It is distinct from previously disclosed Deep Security CVEs covering privilege escalation, code injection, and access control flaws.
As of now, the event‑storm‑triggered reload issue does not appear as an assigned CVE in public Deep Security vulnerability listings, suggesting it is either under coordinated disclosure or not yet tracked as a formal CVE.
Given that this flaw impacts the continuity of endpoint protection rather than kernel integrity, its realistic threat model is a local, unprivileged attacker on a protected Linux host, such as a compromised developer workstation, a low‑privilege service account, or an initial malware dropper.
The researcher’s severity assessment labels the issue High, based on the ability of an unprivileged workload to induce a protection gap in a core security control repeatedly.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
