This article details the troubleshooting steps for LANDesk Antivirus 9.5.
It is highly recommend to go through the relevant areas of the Kaspersky Endpoint Security 8 online course available Kaspersky: http://support.kaspersky.com/learning/courses/kl_102.98
LANDesk Antivirus 9.5 Installation
LANDesk Antivirus can be installed on a client in 3 different ways.
- Installed as part of the Agent installation.
1. Select LANDesk Antivirus component within the Agent Configuration - Start - Agent Components to Install section.
2. Configure desired settings within the Agent Configuration - Security and Compliance - LANDesk Antivirus section.
-or-
- Installed through an Install/Update Security Components task
1. Open the Agent Settings tool within the LDMS console.
2. Select the Create a Task dropdown and select Install/Update Security Components.
3. Select desired Task Type, Select LANDesk Antivirus under Components to Install, select desired Task Options, and desired reboot options (Controlled through Scan and Repair Settings)
Note: If experiencing installation issues, you can select the box "Troubleshoot LANDesk Antivirus installation using interactive mode" to run an Antivirus installation with a full UI available.
-or -
- Run "vulscan /installav" from the command line of a client computer
Note: If experiencing installation issues, add the command line options "/interactive" and "/showui" ("vulscan /installav /interactive /showui")
Log files used during LANDesk Antivirus 9.5 installation:
| Log Filename | Purpose | Location |
|---|---|---|
| ldav_install.log | Logs installation activity controlled by LDAV.EXE | %appdata%\LANDeskAV |
| msi_install.log | Logs installation of Kaspersky Endpoint Security .MSI | %appdata%\LANDeskAV |
| installav.log (or installav#.log) | Logs installation activity controlled by Vulscan.exe | %appdata%\vulscan |
| KESPatchMSI.log, KESPatch.log | Logs installation of all Kaspersky patches applied | %appdata%\Kaspersky Lab |
| KL*.log | 9.5sp2 install logs | C:\Windows\Temp |
Installation troubleshooting tips: To easily open the log file directories at the client "Run" line type "vulscan e" to open the %appdata%\vulscan directory or "vulscan av" to open the %appdata%\LANDeskAV folder
Most installation failures will be logged within the MSI_INSTALL.LOG
Installation activity is also recorded to the Security Activity tool within the LDMS console.
Installation requires a reboot if installing over an older version of LANDesk Antivirus. In addition it will require another reboot after the latest critical updates have been applied after updating the Antivirus pattern files.
Possible Installation issues:
- Insufficient Memory - See Kaspersky Endpoint Security 8 System Requirements Note: Notice it says "Free Ram" vs. "Total Ram" for memory requirements. This is the ram available at time of LDAV install.
Install failures due to insufficient memory requirements are viewable in the Security Activity Tool and in the MSI_Install.log file. - Conflicting 3rd Party Software
During installation, LANDesk Antivirus will detect the presence of incompatible 3rd-party software. LANDesk Antivirus utilizes the Kaspersky Cleaner utility in addition to the existing removal capabilities of LDAVHLPR.DLL.
If conflicting software is found during the LANDesk Antivirus installation, one of two events will occur:
- Conflicting software will be automatically removed
- Installation will fail.
For a list of incompatible software: http://support.kaspersky.com/kes8wks/install?qid=208285017
Install failures due to incompatible software are viewable in MSI_Install.log file.
Uninstallation
Uninstalling LANDesk can be done in the following ways:
1. Schedule a "Remove Security Components" task from within the Security Activity tool in the LANDesk Console. Select "LANDesk Antivirus" as a component to remove.
2. Run "vulscan /removeav" from the client command line
Note: When attempting to remove and reinstall LANDesk Antivirus, an uninstall must be performed and then an install performed. Reinstalling over top does not remove the .MSI, it simply performs the LANDesk specific actions controlled by vulscan.exe and LDAV.EXE
Conflicting 3rd Party Software
During installation, LANDesk Antivirus will detect the presence of incompatible 3rd-party software. LANDesk Antivirus can remove some incompatible software during install.
If conflicting software is found during the LANDesk Antivirus installation, one of two events will occur:
- Conflicting software will be automatically removed
- Installation will fail.
For a list of incompatible software: http://support.kaspersky.com/kes8wks/install?qid=208285017
Product Activation
A valid license .KEY file must be obtained from LANDesk licensing support and imported into the LANDesk Core server:
Either log a case via support.landesk.com over the internet or by
- Contact LANDesk Support by phone and select Option 1 for Product Activation/Licensing. Then select option 1 again for LDMS/LDSS Licensing support.
- Give the Support Engineer your company account name and your contact information.
- The Support Engineer will provide a .key file via e-mail.
- The .key file will be in a .zip format. This .zip file should be uncompressed.
- Within the LDMS console, under the Security Activity tool select the Settings dropdown and choose either "LANDesk Antivirus Action Center" or "LANDesk Antivirus license information".
- Browse to the LANDesk Antivirus .key file and select "Import"
Once the key has been imported on the core server, subsequent vulnerability scans will compare the LDAV.KEY on the core with the LDAV.KEY on the client. If the license file that resides on the core server is different than the .KEY file on the client, the core servers copy of the license .KEY file is downloaded and placed into the LDCLIENT\Antivirus\Install\Key folder on the client.When the LANDesk Antivirus service starts, it compares the key file in the LDCLIENT\Antivirus\Install\Key folder with the key file in the LDCLIENT\Antivirus folder. If the hash does not match, the key file is copied from the LDCLIENT\Antivirus\Install\Key folder to the LDCLIENT\Antivirus folder. The copy of the key file in the LDCLIENT\Antivirus folder is the key file that the client is activated from.The license information is verified on the client during the following circumstances:
- During LANDesk Antivirus installation
- When the LANDesk Antivirus service is started
- Every 5 minutes after LANDesk Antivirus service is started
- After pattern file update is performed
When troubleshooting client activation issues, the following log files should be consulted:
- LDAV.LOG - Shows activation activity from the LANDesk Antivirus service start or the 5 minute interval check
- LDAV_UPDATE.LOG - Shows activation activity if LANDesk Antivirus is activated during pattern file update
- LDAV_INSTALL.LOG - Shows activation activity if LANDesk Antivirus is activated during the installation
Directories
LANDesk Antivirus uses the following directories:
- C:\documents and settings\all users\application data\LANDeskAV (C:\ProgramData\LANDeskAV for Windows 7/Server 2008)
Main directory for LANDesk Antivirus log files - C:\documents and settings\all users\application data\Kaspersky Labs (C:\ProgramData\Kaspersky Labs for Windows 7/Server 2008)
Directory for Kaspersky EPS 8 trace filesfiles - C:\program files\landesk\ldclient\antivirus
Main directory for LANDesk Antivirus service - C:\program files\landesk\ldclient\antivirus\install
- C:\program files\landesk\ldclient\antivirus\temp_bases8
Used to update pattern files - C:\program files\landesk\ldclient\antivirus\kav
- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\KES8\Bases (C:\ProgramData\Kaspersky Lab\KES8\Bases for Windows 7/Server 2008)
Pattern files directory for Kaspersky Endpoint Security 8. - C:\Program Files\LANDesk\LDClient\Antivirus\KAV\Patches
Directory where Kaspersky patches are stored. Look here to see if patches have been downloaded.
Important Files in LANDesk Antivirus 9.5
| Filename | Purpose | Location |
|---|---|---|
| LDAV.exe | LANDesk Antivirus Service | LDClient\Antivirus |
| LDAV.key | License file for LANDesk Antivirus | LDClient\Antivirus |
Registry Keys Related to LANDesk Antivirus 9.5
| Key Name | Purpose |
|---|---|
| HKLM\Software\KasperskyLab | Kaspersky Antivirus Settings |
| HKLM\Software\LANDesk\ManagementSuite\WinClient\Antivirus | Configuration Information, Last Scan Dates, Status Information |
| HKLM\Software\LANDesk\ManagementSuite\WinClient\Antivirus\License | LANDesk Antivirus 9.5 license details |
| HKLM\Software\LANDesk\ManagementSuite\WinClient\Vulscan\klbehavior | Current assigned LANDesk Antivirus settings |
| HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\976DD27DCE3AFCF4FAFA212E5542056B\Patches | Currently installed patches |
Settings
The LANDesk Antivirus scanner, as with the LANDesk Security vulnerability scanner, uses an XML file to configure its behavior. Antivirus Settings files are stored in:
C:\documents and settings\all users\application data\vulscan\KLBehavior_<id>.xml
The following registry key value indicates the ID of the AV behavior being used:
- Key: HKLM\Software\LANDesk\ManagementSuite\WinClient\Vulscan
- DWORD Value: KLBehavior
Antivirus Settings XML files can be updated using a Scheduled Task on the core; or they can be updated automatically according to the same schedule that vulscan uses to update its own Agent Behaviors.
In order to refresh settings, a Change Settings Task can be created on the Core Server. In order to simply refresh settings, select the "Create a Task" dropdown in Patch Manager, select "Change Settings" and then create a schedule.
Alternatively "vulscan /changesettings" can be run from the client command line. (Add /showui to the command to view the UI while it is running)
Tasks
Scheduled tasks for Update, Full Scan, and Critical Areas scan are created via LANDesk Local Scheduled Tasks. It will not create a task within LANDesk Antivirus. As a result, the tasks within the Client UI will show "Manually".
To view the LANDesk Local Scheduled tasks:
From the LDCLIENT directory Run LocalSch.exe /tasks | more
Task 7 runs LDAV.EXE /UPDATE /update - Antivirus pattern file updates (Recommended update frequency is daily, before the daily scan)
Task 8 runs LDAV.EXE /UPDATE /AVScheduledScanType=1 - Critical Areas Scan (Recommended scan frequency is daily, after pattern files have been updated)
Task 9 runs LDAV.EXE /UPDATE /AVScheduledScanType=0 - Full System Scan (Recommended scan frequency is weekly)
Settings that cannot be configured through LANDesk Management Suite
Currently all settings available within the LANDesk Antivirus 9.5 GUI (Kaspersky Endpoint Security 8) cannot be configured using LANDesk Management Suite.
In order to utilize settings not available within the LANDesk Antivirus Settings within the LANDesk Management Suite Console, the following steps can be performed:
Configure client and export settings
In order to change settings on the client, the LANDesk Antivirus settings must allow Settings to be changed. This is configured within the General section of Antivirus Settings underneath "Permissions Settings".
1. Within the client UI, make any changes desired.
2. Under the Settings tab, in the left hand-pane select "Advanced Settings".
3. Under "Manage Settings" in the right-hand pane, select "Save".
4. Name and save the settings .CFG file to a network location (on the core server or otherwise).
Import client settings into LANDesk Antivirus settings on core
1. Open desired LANDesk Antivirus setting on the core server.
2. In the left hand pane under "Advanced Settings" select "Import Kaspersky Settings".
3. Check the box labeled "Import settings file from a Kaspersky antivirus client" (This also applies to a LANDesk Antivirus 9.5 client)
Note: Any settings that ARE configurable within the LANDesk Antivirus settings will supercede any identical settings imported from the client. The extra settings that cannot be configured through LDMS will be appended to the LDMS Antivirus settings.
Gathering logging information for LANDesk support:
1. Standard Log Files
Files to be gathered:
Windows XP/2003: C:\Documents and Settings\All Users\Application Data\LANDeskAV\*.log, C:\Documents and Settings\All Users\Application Data\vulscan\installav*.log, C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\*.log, C:\Windows\Temp\KL*.log
Windows 7/2008:C:\ProgramData\LANDeskAV\*.log, C:\ProgramData\vulscan\installav*.log, C:\ProgramData\Kaspersky Lab\*.log, C:\Windows\Temp\KL*.log
2. Trace Log Files
More complex issues will sometimes require the collection of extended trace log files. These log files contain verbose information that can assist in finding the root cause of an issue.
On the client with LANDesk Antivirus installed, double click the system tray icon and do the following:
Make sure to use an administrator user account.
- Click the Support button in the main application window.
- Click the System tracing button.
- An Information for Technical Support window will open. Select a Trace level in the drop-down menu as requested by the Technical support. In case there is no clear statement from the Technical support, it is recommended to set Normal (500).
- Click the Enable button to start the tracing process.
- Reproduce the issue.
- Click the Disable button to stop the tracing process.
Trace files are created in a text format with a unique name: [Application_version].[Patch]_[Creation_date]_[Creation_time_GMT].PID.Source Trace files are generated in the %ProgramData% folder, by default:
- Windows Vista / Windows 7 / Windows Server 2008: Disk:\ProgramData\Kaspersky Lab\;
- Windows XP / Windows 2003: Disk:\Documents and Settings\All Users\Application Data\Kaspersky Lab\.
The last section of each log file name indicates the process that originated the logging.
| Filename Suffix | Description |
|---|---|
| .HST | Dedicated service processes, such as the updater process, or one of the service processes in multicore processor systems. |
| AVPCon.dll | Main service process, shows scanning activity for all scans |
| .GUI | GUI Process, registering, creation of UI popups, etc. |
| .SRV | Main service process, shows scanning activity for all scans |
| .mcou.OUTLOOK.EXE | Microsoft Outlook e-mail plugin log |
#In addition in many instances a GetSystemInfo report should also be gathered:
3. GetSystemInfo Utility
The GetSystemInfo gathers details information about a computer, including hardware information, operating systems, drivers, installed, software, etc. This utility can be very useful for determining the cause of certain issues.
| GetSystemInfo |
|---|
| GetSystemInfo 4.1.0.245 |
- 1. Run GetSystemInfo.exe on the computers with the problem.
- 2. Click the button Create report in the right part of the main window.
- 3. Wait until the utility has completely scanned the system.
- 4. Click OK to confirm the creation of a report.
A file will be created with the default name GetSystemInfo_<USER>_YYYY_MM_DD.zip. Attach this report to your created case, or e-mail it to your LANDesk Support technician.
This GetSystemInfo report can then be parsed and further analyzed by doing the following:
- Browse to http://www.getsysteminfo.com/
- From the GetSystemInfo web site click "Choose file" and then browse to the previously gathered GetSystemInfo log file and upload it to the site.
Network Attack Tracer
If your computer is being attacked by an unknown worm, and you are using a LANDesk Antivirus with the latest updates available, and it does not detect suspicious objects, and you do not know how to protect your computer from the worm, use the utility kldump.exe.
This utility creates dump files of network attacks. You can then send such dump files to Kaspersky Lab for analysis.
http://support.kaspersky.com/772
If the problem is a Blue Screen,collect a Kernel Memory Dump
1. Right-click "My computer" and choose "Properties"
2. Go to the "Advanced" tab and then click "Settings" under "Startup and Recovery"
3. Under the "System failure" section under "Write debugging information" click the drop-down and select "Kernel memory dump".
4. Make note of the path that the MEMORY.DMP file will be saved to.
5. Duplicate the blue screen issue and then collect the MEMORY.DMP file and compress it in a .ZIP file.
A kernel memory dump must be supplied, a mini memory dump does not supply sufficient information.