This article details the troubleshooting steps for Ivanti Antivirus. For high level training it is highly recommended to go through the relevant areas of KL 102.10: Kaspersky Endpoint Security and Management
Ivanti Antivirus Installation
Three different methods can be used to install Ivanti Antivirus on a client.
Installed as part of the Agent installation
- Select Ivanti Antivirus component within the Agent Configuration - Start - Agent Components to Install section.
- Configure desired settings within the Agent Configuration - Security and Compliance - Ivanti Antivirus section.
Installed through an Install/Update Security Components task Open the Agent Settings tool within the Ivanti Endpoint Manager console.
- Select the Create a Task dropdown and select Install/Update Security Components.
- Select desired Task Type, Select Ivanti Antivirus Components to Install, select desired Task Options, and desired reboot options (Controlled through Scan and Repair Settings)Note: If experiencing installation issues, you can select the box "Troubleshoot Ivanti Antivirus installation using interactive mode" to run an Antivirus installation with a full UI available.
Run "vulscan /installav" from the command line of a client computer
If experiencing installation issues, add the command line options "/interactive" and "/showui" ("vulscan /installav /interactive /showui")
- Bases.cab - Antivirus Bases (Pattern files)
- Cleaner.cab - rules for detection of incompatible software
- Incompatible.txt - list of incompatible software
- Kes10SP1MR2_en.msp - MR2 patch
- Kes10win.msi - MSI Installation package
Files not used by the Ivanti Endpoint Manager Installation of Kaspersky Antivirus
Installation log files
|ldav_install.log||Logs installation activity controlled by LDAV.EXE||C:\ProgramData\LANDESK\Log|
|installav.log (or installav#.log)||Logs installation activity controlled by Vulscan.exe||C:\ProgramData\LANDESK\Log|
|KESPatchMSI.log, KESPatch.log||Logs installation of all Kaspersky patches applied||C:\ProgramData\LANDESK\Log|
|ucaevents.log||Logs installation of Kaspersky||C:\Windows\Temp or %Temp%|
|kl-setup-YYYY-MM-DD-HH-MM-SS.log||Logs preparation, such as removal of incompatible programs, etc.||C:\ProgramData\LANDESK\log (Copied from Windows temp dir or %temp% after complete)|
|kl-update-YYYY-MM-DD-HH-MM-SS.log||Logs initial bases (pattern files) update||C:\Programdata\LANDESK\log (Copied from Windows temp dir or %temp% after complete)|
|kl-install-YYYY-MM-DD-HH-MM-SS.log||Logs the main Kaspersky installation||C:\Programdata\LANDESK\log (Copied from Windows temp dir or %temp% after complete)|
Most installation failures will be logged within the LDAV_INSTALL.LOG or in the KL*.log. Installation activity is also recorded to the Security Activity tool within the Ivanti Endpoint Manager console.
The Windows Event viewer will show the following type of events as well:
Windows Installer reconfigured the product. Product Name: Kaspersky Endpoint Security 10 for Windows. Product Version: 10.2.5.3201. Product Language: 1033. Manufacturer: Kaspersky Lab. Reconfiguration success or error status: 0.
Doing a "Find" in the Event Viewer logs for "Ivanti" or "Kaspersky" can also be useful for finding successes or failures.
Installation requires a reboot if installing over an older version of Ivanti Antivirus or removing another 3rd party Antivirus.
In addition it will require another reboot after the latest critical updates have been applied as part of updating the pattern files.
Possible Installation issues
- Insufficient Memory - Install failures due to insufficient memory requirements can be viewed in the Security Activity Tool in the Ivanti Endpoint Manager console and in the MSI_Install.log file
- Conflicting 3rd Party Software
During installation, Ivanti Antivirus will detect the presence of incompatible 3rd-party software. Ivanti Antivirus utilizes the Kaspersky Cleaner utility in addition to the existing removal capabilities of LDAVHLPR.DLL. If conflicting software is found during the Ivanti Antivirus installation, one of two events will occur:
Conflicting software will be automatically removed - List of applications incompatible with Kaspersky Endpoint Security 10 for Windows
Installation will fail - Install failures due to incompatible software are viewable in KL*.log.
General Troubleshooting Flowchart
(Click for full size)
When the flowchart refers to "KES" this is referring to Kaspersky Endpoint Security and is interchangeable with "LDAV"
Troubleshooting System Watcher
At times it becomes necessary to troubleshoot system watcher. System watcher is a vital component of Ivanti Antivirus and generally should not be disabled.
The following flowchart shows details about troubleshooting this antivirus component:
(Click for full size)
Troubleshooting Compatibility Issues
- Pause LDAV protection by clicking «Pause protection and control...» in LDAV tray menu.
- Try to reproduce problem.
- If problem is still reproduced, go to step 3.
- If problem is not reproduced anymore, restore LDAV protection and start turning off LDAV protection components one-by-one.
- Check whether issue persists after each step. Aim is to find faulty component. When component is found, gather traces with only this component enabled.
- Stop LDAV service by clicking «Exit» in LDAV tray menu.
- Try to reproduce problem.
- If problem is still reproduced, go to step 5.
- If problem is not reproduced, start LDAV and gather traces with all components disabled
- If you got to this step, this is a driver issue. Our aim is to find faulty driver. LDAV drivers are located in «C:\Windows\System32\drivers» folder.
- Disable LDAV self-defense. Then start disabling LDAV drivers by renaming them (you can change its extension from .sys to .bak, for example).
- Rename drivers one-by-one, reboot machine after each step and then check whether issue persists or not.
Please note, that drivers should be disabled in the following sequence:
kltdi.sys (Windows 7/2008)
klwfp.sys (Windows 8 and later)
Uninstalling Ivanti Antivirus
The following methods can be used to uninstall Ivanti Antivirus:
- Schedule a "Remove Security Components" task from within the Security Activity tool in the Ivanti EPM Console. Select "Ivanti Antivirus" as a component to remove.
- Run "vulscan /removeav" from the client command line
If this fails it may be necessary to run the following:
The KAV Removal tool should be used in case uninstallation by other methods fail or there is suspicion that there are leftovers from previous installations.
KAVRemover automatically detects the installed Kaspersky product. If detection fails the "-nodetect" command line switch should be used.
It is recommended to run KAVRemover in Safe Mode
Log files for Antivirus uninstall
The kl-update-yyyy-mm-dd-hh-mm-ss.log files will be picked up by GetSystemInfo if run. The MSI log must be gathered manually.
Note: When attempting to remove and reinstall Ivanti Antivirus, an uninstall must be performed and then an install performed. Reinstalling over top does not remove and reinstall the .MSI, it simply performs the Ivanti EPM specific actions controlled by vulscan.exe and LDAV.EXE.
Note: The Ivanti Antivirus product does not contain the Kaspersky Device Control or Vulnerability Detection features as these features are covered byIvanti Device Manager and Ivanti Patch and Compliance Manager.
- C:\ProgramData\LANDESKAV - Main directory for Ivanti Antivirus log files
- C:\ProgramData\Kaspersky Labs - Directory for Kaspersky trace files
- C:\Program Files (x86)\landesk\ldclient\antivirus - Main directory for Ivanti Antivirus service
- C:\Program Files (x86)\landesk\ldclient\antivirus\install - Used to install Ivanti Antivirus and rebrand Kaspersky Endpoint Security
- C:\Program Files (x86)\landesk\ldclient\antivirus\temp_bases8 - Used to update pattern files
- C:\Program Files\ (x86)landesk\ldclient\antivirus\kav - Kaspersky Endpoint Security files
- C:\ProgramData\Kaspersky Lab\KES10\Bases - Pattern files directory for Kaspersky Endpoint Security 8.
- C:\Program Files\LANDESK\LDClient\Antivirus\KAV\Patches - Directory where Kaspersky patches are stored. Look here to see if patches have been downloaded.
|LDAV.exe||Ivanti Antivirus Service||LDClient\Antivirus|
|LDAV.key||License file for Ivanti Antivirus||LDClient\Antivirus|
|r 1||Key Name||Purpose|
|HKLM\Software\KasperskyLab||Kaspersky Antivirus Settings|
|HKLM\Software\LANDESK\ManagementSuite\WinClient\Antivirus||Configuration Information, Last Scan Dates, Status Information|
|HKLM\Software\LANDESK\ManagementSuite\WinClient\Vulscan\klbehavior||Current assigned Ivanti Antivirus settings|
|HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\976DD27DCE3AFCF4FAFA212E5542056B\Patches||Currently installed patches|
All of the drivers are stored in C:\Windows\System32\Drivers
There are typically six drivers:
Ivanti Antivirus Database Tables, Inventory Information and Security Activity
The Ivanti Antivirus scanner, as with the Ivanti Security vulnerability scanner, uses an XML file to configure its behavior. Antivirus Settings files are stored in C:\ProgramData\Vulscan\KLBehavior_<id>.xml
The following registry key value indicates the ID of the AV behavior being used:
Key: HKLM\Software\LANDESK\ManagementSuite\WinClient\Vulscan DWORD Value: KLBehavior
Antivirus Settings XML files can be updated using a Scheduled Task on the core; or they can be updated automatically according to the same schedule that vulscan uses to update its own Agent Behaviors. In order to refresh settings, a Change Settings Task can be created on the Core Server. In order to simply refresh settings, select the "Create a Task" dropdown in Patch Manager, select "Change Settings" and then create a schedule. Alternatively "vulscan /changesettings" can be run from the client command line. (Add /showui to the command to view the UI while it is running)
Settings that cannot be configured through Ivanti Endpoint Manager
Currently all settings available within the client side Ivanti Antivirus GUI (Kaspersky Endpoint Security 10) cannot be configured using Ivanti Endpoint Manager. In order to utilize settings not available within the Ivanti Antivirus Settings within the Ivanti Endpoint Manager Console, the following document outlines steps can be performed:
Scheduled tasks for Update, Full, and Critical Areas scans are created via Local Tasks. It will not create a task within Ivanti Antivirus. As a result, the tasks within the Client UI will show "Manually".
Task 7 runs LDAV.EXE /UPDATE /update - Antivirus pattern file updates (Recommended update frequency is daily, before the daily scan)
Task 8 runs LDAV.EXE /UPDATE /AVScheduledScanType=0 - Critical Areas Scan (Recommended scan frequency is daily, after pattern files have been updated)
Task 9 runs LDAV.EXE /UPDATE /AVScheduledScanType=1 - Full System Scan (Recommended scan frequency is weekly)
Gathering logging information for Ivanti support
Standard Log Files
- C:\ProgramData\Kaspersky Lab\*.log
- C:\Windows\Temp\KL*.log, %TEMP%\KL*.log,
- C:\Windows\Temp\Ucaevents.log, %TEMP%\Ucaevents.log
- C:\Documents and Settings\All Users\Application Data\LANDESKAV\*.log
- C:\Documents and Settings\All Users\Application Data\vulscan\installav*.log
This is a very important log file to get. This should be the first log that is retrieved as it contains most of the log files above along with detailed information about a computer, including hardware information, operating systems, drivers, installed, software, etc. This utility can be very useful for determining the cause of certain issues.
- Extract the downloaded GetSystemInfo Utility .ZIP file
- Run GSI.EXE that you extracted from the .ZIP file
- Click the button green "Play" button to start gathering the report.
- Wait until the utility has completely scanned the system. (This make take quite some time)
- Click OK to confirm the creation of a report.
A file will be created with the default name GetSystemInfo_<USER>_YYYY_MM_DD.zip. Attach this report to your created case, or e-mail it to your Ivanti Support technician. The GetSystemInfo report can then be reviewed and further analyzed by doing the following:
- Browse to http://www.getsysteminfo.com/
- From the GetSystemInfo web site click "Choose file" and then browse to the previously gathered GetSystemInfo log file and upload it to the site.
- After uploading the file you can analyze it yourself.
- This will bring up a tabbed interface with various information:
Trace Log Files
The following article contains detailed information for gathering trace log files: How to gather trace log files for Ivanti Antivirus
Antivirus client configuration export
At times it may be required to export the configuration from the Antivirus client. The following is the procedure to do so:
Advanced Logging for the Updater SDK (for troubleshooting definition download issues)
1. Copy the attached UPDSDK.XML to the \ManagementSuite\LDLogon\Antivirus8 folder on the core server.
2. Download Antivirus pattern files
This will create an UpdaterSDK7.log file in the managementsuite folder.
In case of a blue screen, a memory dump will need to be gathered.
- Right-click "My computer" and choose "Properties"
- Go to the "Advanced" tab and then click "Settings" under "Startup and Recovery"
- Under the "System failure" section under "Write debugging information" click the drop-down and select "Complete memory dump"
- Make note of the path that the MEMORY.DMP file will be saved to.
- Duplicate the blue screen issue and then collect the MEMORY.DMP file and compress it in a .ZIP file.
A complete memory dump must be supplied, a mini dump does not supply sufficient information.
See Varieties of Kernel-Mode Dump Files (Windows Debuggers) for details about memory dump options.
Submitting files for investigation by Kaspersky