How To: Troubleshoot LANDESK Antivirus

Version 103

    Verified Product Versions

    LANDESK Management Suite 9.5LANDESK Management Suite 9.6LANDESK Management Suite 2016.x

    This article details the troubleshooting steps for LANDESK Antivirus.    For high level training it is highly recommended to go through the relevant areas of KL 102.10: Kaspersky Endpoint Security and Management



    LANDESK Antivirus Installation


    Three different methods can be used to install LANDESK Antivirus on a client.


    Installed as part of the Agent installation

      1. Select LANDESK Antivirus component within the Agent Configuration - Start - Agent Components to Install section.
      2. Configure desired settings within the Agent Configuration - Security and Compliance - LANDESK Antivirus section.


    Installed through an Install/Update Security Components task Open the Agent Settings tool within the LDMS console.

      1. Select the Create a Task dropdown and select Install/Update Security Components.
      2. Select desired Task Type, Select LANDESK Antivirus Components to Install, select desired Task Options, and desired reboot options (Controlled through Scan and Repair Settings)

        Note: If experiencing installation issues, you can select the box "Troubleshoot LANDESK Antivirus installation using interactive mode" to run an Antivirus installation with a full UI available.


    Run "vulscan /installav" from the command line of a client computer

    If experiencing installation issues, add the command line options "/interactive" and "/showui" ("vulscan /installav /interactive /showui")


    Installation files

      • - Antivirus Bases (Pattern files)
      • - rules for detection of incompatible software
      • Incompatible.txt - list of incompatible software
      • Kes10SP1MR2_en.msp - MR2 patch
      • Kes10win.msi - MSI Installation package

    Files not used by LANDESK Installation of Kaspersky Antivirus

      • aes_encryption_module.msi
      • Kes10win.kpd
      • Kes10win.kud
      • klcfginst.exe



    Installation log files

    HrLog FilenamePurposeLocation
    ldav_install.logLogs installation activity controlled by LDAV.EXEC:\ProgramData\LANDESK\Log
    installav.log (or installav#.log)Logs installation activity controlled by Vulscan.exeC:\ProgramData\LANDESK\Log
    KESPatchMSI.log, KESPatch.logLogs installation of all Kaspersky patches appliedC:\ProgramData\LANDESK\Log
    ucaevents.logLogs installation of KasperskyC:\Windows\Temp or %Temp% 
    kl-setup-YYYY-MM-DD-HH-MM-SS.logLogs preparation, such as removal of incompatible programs, etc.C:\ProgramData\LANDESK\log  (Copied from Windows temp dir or %temp% after complete)
    kl-update-YYYY-MM-DD-HH-MM-SS.logLogs initial bases (pattern files) updateC:\Programdata\LANDESK\log (Copied from Windows temp dir or %temp% after complete)
    kl-install-YYYY-MM-DD-HH-MM-SS.logLogs the main Kaspersky installationC:\Programdata\LANDESK\log (Copied from Windows temp dir or %temp% after complete)


    Installation troubleshooting tips: To easily open the log file directories at the client "Run" line type "vulscan log" to open the %programdata%/landesk/log directory or "vulscan av" to open the %programdata%\LANDESKAV folder



    Most installation failures will be logged within the LDAV_INSTALL.LOG or in the KL*.log.  Installation activity is also recorded to the Security Activity tool within the LDMS console. 


    The Windows Event viewer will show the following type of events as well:

    Windows Installer reconfigured the product. Product Name: Kaspersky Endpoint Security 10 for Windows. Product Version: Product Language: 1033. Manufacturer: Kaspersky Lab. Reconfiguration success or error status: 0.

    Doing a "Find" in the Event Viewer logs for "LANDESK" or "Kaspersky" can also be useful for finding successes or failures.


    Installation requires a reboot if installing over an older version of LANDESK Antivirus or removing another 3rd party Antivirus. 

    In addition it will require another reboot after the latest critical updates have been applied as part of updating the pattern files.

    Possible Installation issues

    • Insufficient Memory - Install failures due to insufficient memory requirements can be viewed in the Security Activity Tool in the LDMS console and in the MSI_Install.log file

    See Kaspersky Endpoint Security 10 for Windows (for workstations)

    • Conflicting 3rd Party Software

    During installation, LANDESK Antivirus will detect the presence of incompatible 3rd-party software.  LANDESK Antivirus utilizes the Kaspersky Cleaner utility in addition to the existing removal capabilities of LDAVHLPR.DLL.  If conflicting software is found during the LANDESK Antivirus installation, one of two events will occur:

    Conflicting software will be automatically removed - List of applications incompatible with Kaspersky Endpoint Security 10 for Windows

    Installation will fail - Install failures due to incompatible software are viewable in KL*.log.

    General Troubleshooting Flowchart


    (Click for full size)


    When the flowchart refers to "KES" this is referring to Kaspersky Endpoint Security and is interchangeable with "LDAV"


    Troubleshooting System Watcher


    At times it becomes necessary to troubleshoot system watcher.   System watcher is a vital component of LANDESK Antivirus and generally should not be disabled.


    The following flowchart shows details about troubleshooting this antivirus component:


       (Click for full size)



    Troubleshooting Compatibility Issues


    1. Pause LDAV protection by clicking «Pause protection and control...» in LDAV tray menu.
    2. Try to reproduce problem.
      1. If problem is still reproduced, go to step 3.
      2. If problem is not reproduced anymore, restore LDAV protection and start turning off LDAV protection components one-by-one.
      3. Check whether issue persists after each step. Aim is to find faulty component. When component is found, gather traces with only this component enabled.
    3. Stop LDAV service by clicking «Exit» in LDAV tray menu.
    4. Try to reproduce problem.
      1. If problem is still reproduced, go to step 5.
      2. If problem is not reproduced, start LDAV and gather traces with all components disabled
    5. If you got to this step, this is a driver issue. Our aim is to find faulty driver. LDAV drivers are located in «C:\Windows\System32\drivers» folder.
    6. Disable LDAV self-defense. Then start disabling LDAV drivers by renaming them (you can change its extension from .sys to .bak, for example).
    7. Rename drivers one-by-one, reboot machine after each step and then check whether issue persists or not.


    Please note, that drivers should be disabled in the following sequence:



    kltdi.sys (Windows 7/2008)

    klwfp.sys (Windows 8 and later)





    Uninstalling LANDESK Antivirus


    The following methods can be used to uninstall LANDESK Antivirus:


    1. Schedule a "Remove Security Components" task from within the Security Activity tool in the LANDESK Console.  Select "LANDESK Antivirus" as a component to remove.
    2. Run "vulscan /removeav" from the client command line


    If this fails it may be necessary to run the following:


    The KAV Removal tool should be used in case uninstallation by other methods fail or there is suspicion that there are leftovers from previous installations.


    KAVRemover automatically detects the installed Kaspersky product.   If detection fails the "-nodetect" command line switch should be used.


    It is recommended to run KAVRemover in Safe Mode


    Log files for Antivirus uninstall

    • %TEMP%\MSIXXXX.log
    • kl-update-YYYY-MM-DD-HH-MM-SS.log


    The kl-update-yyyy-mm-dd-hh-mm-ss.log files will be picked up by GetSystemInfo if run.  The MSI log must be gathered manually.


    Note: When attempting to remove and reinstall LANDESK Antivirus, an uninstall must be performed and then an install performed.  Reinstalling over top does not remove and reinstall the .MSI, it simply performs the LANDESK specific actions controlled by vulscan.exe and LDAV.EXE.      

    Product Activation


    How to troubleshoot LANDESK Antivirus license issues


           Note: The LANDESK Antivirus product does not contain the Kaspersky Device Control or Vulnerability Detection features as these features are covered by LANDESK Device Manager and LANDESK Patch Manager.



    • C:\ProgramData\LANDESKAV - Main directory for LANDESK Antivirus log files
    • C:\ProgramData\Kaspersky Labs - Directory for Kaspersky trace files
    • C:\Program Files (x86)\landesk\ldclient\antivirus - Main directory for LANDESK Antivirus service
    • C:\Program Files (x86)\landesk\ldclient\antivirus\install - Used to install LANDESK Antivirus and rebrand Kaspersky Endpoint Security
    • C:\Program Files (x86)\landesk\ldclient\antivirus\temp_bases8 - Used to update pattern files
    • C:\Program Files\ (x86)landesk\ldclient\antivirus\kav - Kaspersky Endpoint Security files
    • C:\ProgramData\Kaspersky Lab\KES10\Bases - Pattern files directory for Kaspersky Endpoint Security 8.
    • C:\Program Files\LANDESK\LDClient\Antivirus\KAV\Patches - Directory where Kaspersky patches are stored.  Look here to see if patches have been downloaded.




    LDAV.exeLANDESK Antivirus ServiceLDClient\Antivirus
    LDAV.keyLicense file for LANDESK AntivirusLDClient\Antivirus


    Registry Keys


    r 1Key NamePurpose
    HKLM\Software\KasperskyLabKaspersky Antivirus Settings
    HKLM\Software\LANDESK\ManagementSuite\WinClient\AntivirusConfiguration Information, Last Scan Dates, Status Information
    HKLM\Software\LANDESK\ManagementSuite\WinClient\Antivirus\LicenseLicense details
    HKLM\Software\LANDESK\ManagementSuite\WinClient\Vulscan\klbehaviorCurrent assigned LANDESK Antivirus settings
    HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\976DD27DCE3AFCF4FAFA212E5542056B\PatchesCurrently installed patches



    Drivers Location


    All of the drivers are stored in C:\Windows\System32\Drivers


    There are typically six drivers:


    • KL1.SYS
    • KLIF.SYS


    LANDESK Antivirus Database Tables, Inventory Information and Security Activity


    LANDESK Antivirus: Database Tables, Inventory Information, and Security Activity




    The LANDESK Antivirus scanner, as with the LANDESK Security vulnerability scanner, uses an XML file to configure its behavior.  Antivirus Settings files are stored in C:\ProgramData\Vulscan\KLBehavior_<id>.xml


    The following registry key value indicates the ID of the AV behavior being used:

        • Key: HKLM\Software\LANDESK\ManagementSuite\WinClient\Vulscan  DWORD Value: KLBehavior


    Antivirus Settings XML files can be updated using a Scheduled Task on the core; or they can be updated automatically according to the same schedule that vulscan uses to update its own Agent Behaviors.  In order to refresh settings, a Change Settings Task can be created on the Core Server.  In order to simply refresh settings, select the "Create a Task" dropdown in Patch Manager, select "Change Settings" and then create a schedule.  Alternatively "vulscan /changesettings" can be run from the client command line.  (Add /showui to the command to view the UI while it is running)

    Settings that cannot be configured through LANDESK Management Suite


    Currently all settings available within the client side LANDESK Antivirus GUI (Kaspersky Endpoint Security 10) cannot be configured using LANDESK Management Suite.  In order to utilize settings not available within the LANDESK Antivirus Settings within the LANDESK Management Suite Console, the following document outlines steps can be performed: 

    How to import Kaspersky Agent settings to the LDMS Agent settings on the Core





    Scheduled tasks for Update, Full, and Critical Areas scans are created via Local Tasks. It will not create a task within LANDESK Antivirus.  As a result, the tasks within the Client UI will show "Manually".


    To view the LANDESK Local Scheduled tasks from the LDCLIENT directory run LocalSch.exe /tasks | more 

    Task 7 runs LDAV.EXE /UPDATE /update - Antivirus pattern file updates (Recommended update frequency is daily, before the daily scan)

    Task 8 runs LDAV.EXE /UPDATE /AVScheduledScanType=0 - Critical Areas Scan (Recommended scan frequency is daily, after pattern files have been updated)

    Task 9 runs LDAV.EXE /UPDATE /AVScheduledScanType=1 - Full System Scan (Recommended scan frequency is weekly)


    Gathering logging information for LANDESK support


    Standard Log Files


    • C:\ProgramData\LANDESKAV\*.log
    • C:\ProgramData\LANDESK\Log\*.log
    • C:\ProgramData\vulscan\installav*.log
    • C:\ProgramData\Kaspersky Lab\*.log
    • C:\Windows\Temp\KL*.log, %TEMP%\KL*.log,
    • C:\Windows\Temp\Ucaevents.log, %TEMP%\Ucaevents.log
    • C:\Documents and Settings\All Users\Application Data\LANDESKAV\*.log
    • C:\Documents and Settings\All Users\Application Data\vulscan\installav*.log

    GetSystemInfo Report


    This is a very important log file to get.   This should be the first log that is retrieved as it contains most of the log files above along with detailed information about a computer, including hardware information, operating systems, drivers, installed, software, etc.  This utility can be very useful for determining the cause of certain issues.


    GetSystemInfo Utility Download


      1. Extract the downloaded GetSystemInfo Utility .ZIP file
      2. Run GSI.EXE that you extracted from the .ZIP file
      3. Click the button green "Play" button to start gathering the report.
      4. Wait until the utility has completely scanned the system.  (This make take quite some time)
      5. Click OK to confirm the creation of a report.


    A file will be created with the default name GetSystemInfo_<USER>  Attach this report to your created case, or e-mail it to your LANDESK Support technician.  The GetSystemInfo report can then be reviewed and further analyzed by doing the following:

      1. Browse to
      2. From the GetSystemInfo web site click "Choose file" and then browse to the previously gathered GetSystemInfo log file and upload it to the site.
      3. After uploading the file you can analyze it yourself.
      4. This will bring up a tabbed interface with various information:

    Trace Log Files


    The following article contains detailed information for gathering trace log files: How to gather trace log files for LANDESK Antivirus

    Antivirus client configuration export

    At times it may be required to export the configuration from the Antivirus client.   The following is the procedure to do so:


    How To: Import/Export Kaspersky Agent Settings


    Advanced Logging for the Updater SDK (for troubleshooting definition download issues)


    1. Copy the attached UPDSDK.XML to the \ManagementSuite\LDLogon\Antivirus8 folder on the core server.

    2. Download Antivirus pattern files


    This will create an UpdaterSDK7.log file in the managementsuite folder.


    Memory dump

    In case of a blue screen, a memory dump will need to be gathered.


      1. Right-click "My computer" and choose "Properties"
      2. Go to the "Advanced" tab and then click "Settings" under "Startup and Recovery"
      3. Under the "System failure" section under "Write debugging information" click the drop-down and select "Complete memory dump"
      4. Make note of the path that the MEMORY.DMP file will be saved to.
      5. Duplicate the blue screen issue and then collect the MEMORY.DMP file and compress it in a .ZIP file.

    A complete memory dump must be supplied, a mini dump does not supply sufficient information.


    See Varieties of Kernel-Mode Dump Files (Windows Debuggers) for details about memory dump options.


    Submitting files for investigation by Kaspersky


    How to report undetected viruses or false positives to LANDESK