How To: Troubleshoot Ivanti Antivirus

Version 105

    Verified Product Versions

    LANDESK Management Suite 9.6LANDESK Management Suite 2016.xLANDESK Endpoint Manager 2017.x

    This article details the troubleshooting steps for Ivanti Antivirus.    For high level training it is highly recommended to go through the relevant areas of KL 102.10: Kaspersky Endpoint Security and Management

     


     

    Ivanti Antivirus Installation

     

    Three different methods can be used to install Ivanti Antivirus on a client.

     

    Installed as part of the Agent installation

      1. Select Ivanti Antivirus component within the Agent Configuration - Start - Agent Components to Install section.
      2. Configure desired settings within the Agent Configuration - Security and Compliance - Ivanti Antivirus section.

     

    Installed through an Install/Update Security Components task Open the Agent Settings tool within the Ivanti Endpoint Manager console.

      1. Select the Create a Task dropdown and select Install/Update Security Components.
      2. Select desired Task Type, Select Ivanti Antivirus Components to Install, select desired Task Options, and desired reboot options (Controlled through Scan and Repair Settings)

        Note: If experiencing installation issues, you can select the box "Troubleshoot Ivanti Antivirus installation using interactive mode" to run an Antivirus installation with a full UI available.

     

    Run "vulscan /installav" from the command line of a client computer

    If experiencing installation issues, add the command line options "/interactive" and "/showui" ("vulscan /installav /interactive /showui")

     

    Installation files

      • Bases.cab - Antivirus Bases (Pattern files)
      • Cleaner.cab - rules for detection of incompatible software
      • Incompatible.txt - list of incompatible software
      • Kes10SP1MR2_en.msp - MR2 patch
      • Kes10win.msi - MSI Installation package


    Files not used by the Ivanti Endpoint Manager Installation of Kaspersky Antivirus

      • aes_encryption_module.msi
      • Kes10win.kpd
      • Kes10win.kud
      • klcfginst.exe

     

     

    Installation log files

    HrLog FilenamePurposeLocation
    ldav_install.logLogs installation activity controlled by LDAV.EXEC:\ProgramData\LANDESK\Log
    installav.log (or installav#.log)Logs installation activity controlled by Vulscan.exeC:\ProgramData\LANDESK\Log
    KESPatchMSI.log, KESPatch.logLogs installation of all Kaspersky patches appliedC:\ProgramData\LANDESK\Log
    ucaevents.logLogs installation of KasperskyC:\Windows\Temp or %Temp% 
    kl-setup-YYYY-MM-DD-HH-MM-SS.logLogs preparation, such as removal of incompatible programs, etc.C:\ProgramData\LANDESK\log  (Copied from Windows temp dir or %temp% after complete)
    kl-update-YYYY-MM-DD-HH-MM-SS.logLogs initial bases (pattern files) updateC:\Programdata\LANDESK\log (Copied from Windows temp dir or %temp% after complete)
    kl-install-YYYY-MM-DD-HH-MM-SS.logLogs the main Kaspersky installationC:\Programdata\LANDESK\log (Copied from Windows temp dir or %temp% after complete)

     

    Installation troubleshooting tips: To easily open the log file directories at the client "Run" line type "vulscan log" to open the %programdata%/landesk/log directory or "vulscan av" to open the %programdata%\LANDESKAV folder

     

     

    Most installation failures will be logged within the LDAV_INSTALL.LOG or in the KL*.log.  Installation activity is also recorded to the Security Activity tool within the Ivanti Endpoint Manager console. 

     

    The Windows Event viewer will show the following type of events as well:

    Windows Installer reconfigured the product. Product Name: Kaspersky Endpoint Security 10 for Windows. Product Version: 10.2.5.3201. Product Language: 1033. Manufacturer: Kaspersky Lab. Reconfiguration success or error status: 0.

    Doing a "Find" in the Event Viewer logs for "Ivanti" or "Kaspersky" can also be useful for finding successes or failures.

     

    Installation requires a reboot if installing over an older version of Ivanti Antivirus or removing another 3rd party Antivirus. 

    In addition it will require another reboot after the latest critical updates have been applied as part of updating the pattern files.

    Possible Installation issues

    • Insufficient Memory - Install failures due to insufficient memory requirements can be viewed in the Security Activity Tool in the Ivanti Endpoint Manager console and in the MSI_Install.log file

    See Kaspersky Endpoint Security 10 for Windows (for workstations)

    • Conflicting 3rd Party Software

    During installation, Ivanti Antivirus will detect the presence of incompatible 3rd-party software.  Ivanti Antivirus utilizes the Kaspersky Cleaner utility in addition to the existing removal capabilities of LDAVHLPR.DLL.  If conflicting software is found during the Ivanti Antivirus installation, one of two events will occur:

    Conflicting software will be automatically removed - List of applications incompatible with Kaspersky Endpoint Security 10 for Windows

    Installation will fail - Install failures due to incompatible software are viewable in KL*.log.

    General Troubleshooting Flowchart

    GeneralTroubleshooting.jpg

    (Click for full size)

     

    When the flowchart refers to "KES" this is referring to Kaspersky Endpoint Security and is interchangeable with "LDAV"

     

    Troubleshooting System Watcher

     

    At times it becomes necessary to troubleshoot system watcher.   System watcher is a vital component of Ivanti Antivirus and generally should not be disabled.

     

    The following flowchart shows details about troubleshooting this antivirus component:

    SystemWatcherTroubleshoot.png

       (Click for full size)

     

     

    Troubleshooting Compatibility Issues

     

    1. Pause LDAV protection by clicking «Pause protection and control...» in LDAV tray menu.
    2. Try to reproduce problem.
      1. If problem is still reproduced, go to step 3.
      2. If problem is not reproduced anymore, restore LDAV protection and start turning off LDAV protection components one-by-one.
      3. Check whether issue persists after each step. Aim is to find faulty component. When component is found, gather traces with only this component enabled.
    3. Stop LDAV service by clicking «Exit» in LDAV tray menu.
    4. Try to reproduce problem.
      1. If problem is still reproduced, go to step 5.
      2. If problem is not reproduced, start LDAV and gather traces with all components disabled
    5. If you got to this step, this is a driver issue. Our aim is to find faulty driver. LDAV drivers are located in «C:\Windows\System32\drivers» folder.
    6. Disable LDAV self-defense. Then start disabling LDAV drivers by renaming them (you can change its extension from .sys to .bak, for example).
    7. Rename drivers one-by-one, reboot machine after each step and then check whether issue persists or not.

     

    Please note, that drivers should be disabled in the following sequence:

    Driver

    klim6.sys

    kltdi.sys (Windows 7/2008)

    klwfp.sys (Windows 8 and later)

    kneps.sys

    klelam.sys

    klif.sys

     

    Uninstalling Ivanti Antivirus

     

    The following methods can be used to uninstall Ivanti Antivirus:

     

    1. Schedule a "Remove Security Components" task from within the Security Activity tool in the Ivanti EPM Console.  Select "Ivanti Antivirus" as a component to remove.
    2. Run "vulscan /removeav" from the client command line

     

    If this fails it may be necessary to run the following:

     

    The KAV Removal tool should be used in case uninstallation by other methods fail or there is suspicion that there are leftovers from previous installations.

     

    KAVRemover automatically detects the installed Kaspersky product.   If detection fails the "-nodetect" command line switch should be used.

     

    It is recommended to run KAVRemover in Safe Mode

     

    Log files for Antivirus uninstall

    • %TEMP%\MSIXXXX.log
    • kl-update-YYYY-MM-DD-HH-MM-SS.log

     

    The kl-update-yyyy-mm-dd-hh-mm-ss.log files will be picked up by GetSystemInfo if run.  The MSI log must be gathered manually.

     

    Note: When attempting to remove and reinstall Ivanti Antivirus, an uninstall must be performed and then an install performed.  Reinstalling over top does not remove and reinstall the .MSI, it simply performs the Ivanti EPM specific actions controlled by vulscan.exe and LDAV.EXE.      

    Product Activation

     

    How to troubleshoot Ivanti Antivirus license issues

     

           Note: The Ivanti Antivirus product does not contain the Kaspersky Device Control or Vulnerability Detection features as these features are covered byIvanti Device Manager and Ivanti Patch and Compliance Manager.

     

    Directories

    • C:\ProgramData\LANDESKAV - Main directory for Ivanti Antivirus log files
    • C:\ProgramData\Kaspersky Labs - Directory for Kaspersky trace files
    • C:\Program Files (x86)\landesk\ldclient\antivirus - Main directory for Ivanti Antivirus service
    • C:\Program Files (x86)\landesk\ldclient\antivirus\install - Used to install Ivanti Antivirus and rebrand Kaspersky Endpoint Security
    • C:\Program Files (x86)\landesk\ldclient\antivirus\temp_bases8 - Used to update pattern files
    • C:\Program Files\ (x86)landesk\ldclient\antivirus\kav - Kaspersky Endpoint Security files
    • C:\ProgramData\Kaspersky Lab\KES10\Bases - Pattern files directory for Kaspersky Endpoint Security 8.
    • C:\Program Files\LANDESK\LDClient\Antivirus\KAV\Patches - Directory where Kaspersky patches are stored.  Look here to see if patches have been downloaded.

     

    Files

     

    .12FilenamePurposeLocation
    LDAV.exeIvanti Antivirus ServiceLDClient\Antivirus
    LDAV.keyLicense file for Ivanti AntivirusLDClient\Antivirus

     

    Registry Keys

     

    r 1Key NamePurpose
    HKLM\Software\KasperskyLabKaspersky Antivirus Settings
    HKLM\Software\LANDESK\ManagementSuite\WinClient\AntivirusConfiguration Information, Last Scan Dates, Status Information
    HKLM\Software\LANDESK\ManagementSuite\WinClient\Antivirus\LicenseLicense details
    HKLM\Software\LANDESK\ManagementSuite\WinClient\Vulscan\klbehaviorCurrent assigned Ivanti Antivirus settings
    HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\976DD27DCE3AFCF4FAFA212E5542056B\PatchesCurrently installed patches

     

     

    Drivers Location

     

    All of the drivers are stored in C:\Windows\System32\Drivers

     

    There are typically six drivers:

     

    • KLELAM.SYS
    • KL1.SYS
    • KLFLT.SYS
    • KLIF.SYS
    • KLWFP.SYS
    • KNEPS.SYS

     

    Ivanti Antivirus Database Tables, Inventory Information and Security Activity

     

    Ivanti Antivirus: Database Tables, Inventory Information, and Security Activity

     

    Settings

     

    The Ivanti Antivirus scanner, as with the Ivanti Security vulnerability scanner, uses an XML file to configure its behavior.  Antivirus Settings files are stored in C:\ProgramData\Vulscan\KLBehavior_<id>.xml

     

    The following registry key value indicates the ID of the AV behavior being used:

        • Key: HKLM\Software\LANDESK\ManagementSuite\WinClient\Vulscan  DWORD Value: KLBehavior

     

    Antivirus Settings XML files can be updated using a Scheduled Task on the core; or they can be updated automatically according to the same schedule that vulscan uses to update its own Agent Behaviors.  In order to refresh settings, a Change Settings Task can be created on the Core Server.  In order to simply refresh settings, select the "Create a Task" dropdown in Patch Manager, select "Change Settings" and then create a schedule.  Alternatively "vulscan /changesettings" can be run from the client command line.  (Add /showui to the command to view the UI while it is running)

    Settings that cannot be configured through Ivanti Endpoint Manager

     

    Currently all settings available within the client side Ivanti Antivirus GUI (Kaspersky Endpoint Security 10) cannot be configured using Ivanti Endpoint Manager.  In order to utilize settings not available within the Ivanti Antivirus Settings within the Ivanti Endpoint Manager Console, the following document outlines steps can be performed: 

    How to import Kaspersky Agent settings to the Ivanti EPS Agent settings on the Core

     

     

    Tasks

     

    Scheduled tasks for Update, Full, and Critical Areas scans are created via Local Tasks. It will not create a task within Ivanti Antivirus.  As a result, the tasks within the Client UI will show "Manually".

    Manually.png

    To view the LANDESK Local Scheduled tasks from the LDCLIENT directory run LocalSch.exe /tasks | more 
    Schedule.png

    Task 7 runs LDAV.EXE /UPDATE /update - Antivirus pattern file updates (Recommended update frequency is daily, before the daily scan)

    Task 8 runs LDAV.EXE /UPDATE /AVScheduledScanType=0 - Critical Areas Scan (Recommended scan frequency is daily, after pattern files have been updated)

    Task 9 runs LDAV.EXE /UPDATE /AVScheduledScanType=1 - Full System Scan (Recommended scan frequency is weekly)

     

    Gathering logging information for Ivanti support

     

    Standard Log Files

     

    • C:\ProgramData\LANDESKAV\*.log
    • C:\ProgramData\LANDESK\Log\*.log
    • C:\ProgramData\vulscan\installav*.log
    • C:\ProgramData\Kaspersky Lab\*.log
    • C:\Windows\Temp\KL*.log, %TEMP%\KL*.log,
    • C:\Windows\Temp\Ucaevents.log, %TEMP%\Ucaevents.log
    • C:\Documents and Settings\All Users\Application Data\LANDESKAV\*.log
    • C:\Documents and Settings\All Users\Application Data\vulscan\installav*.log


    GetSystemInfo Report

     

    This is a very important log file to get.   This should be the first log that is retrieved as it contains most of the log files above along with detailed information about a computer, including hardware information, operating systems, drivers, installed, software, etc.  This utility can be very useful for determining the cause of certain issues.

     

    GetSystemInfo Utility Download

     

      1. Extract the downloaded GetSystemInfo Utility .ZIP file
      2. Run GSI.EXE that you extracted from the .ZIP file
      3. Click the button green "Play" button to start gathering the report.
      4. Wait until the utility has completely scanned the system.  (This make take quite some time)
      5. Click OK to confirm the creation of a report.

     

    A file will be created with the default name GetSystemInfo_<USER>_YYYY_MM_DD.zip.  Attach this report to your created case, or e-mail it to your Ivanti Support technician.  The GetSystemInfo report can then be reviewed and further analyzed by doing the following:

      1. Browse to http://www.getsysteminfo.com/
      2. From the GetSystemInfo web site click "Choose file" and then browse to the previously gathered GetSystemInfo log file and upload it to the site.
      3. After uploading the file you can analyze it yourself.
        GetSystemInfo.jpg
      4. This will bring up a tabbed interface with various information:
        GetSystemInfoTabs.jpg

    Trace Log Files

     

    The following article contains detailed information for gathering trace log files: How to gather trace log files for Ivanti Antivirus

    Antivirus client configuration export

    At times it may be required to export the configuration from the Antivirus client.   The following is the procedure to do so:

     

    How To: Import/Export Kaspersky Agent Settings

     

    Advanced Logging for the Updater SDK (for troubleshooting definition download issues)

     

    1. Copy the attached UPDSDK.XML to the \ManagementSuite\LDLogon\Antivirus8 folder on the core server.

    2. Download Antivirus pattern files

     

    This will create an UpdaterSDK7.log file in the managementsuite folder.

     

    Memory dump

    In case of a blue screen, a memory dump will need to be gathered.

     

      1. Right-click "My computer" and choose "Properties"
      2. Go to the "Advanced" tab and then click "Settings" under "Startup and Recovery"
      3. Under the "System failure" section under "Write debugging information" click the drop-down and select "Complete memory dump"
      4. Make note of the path that the MEMORY.DMP file will be saved to.
      5. Duplicate the blue screen issue and then collect the MEMORY.DMP file and compress it in a .ZIP file.

    A complete memory dump must be supplied, a mini dump does not supply sufficient information.

     

    See Varieties of Kernel-Mode Dump Files (Windows Debuggers) for details about memory dump options.

     

    Submitting files for investigation by Kaspersky

     

    How to report undetected viruses or false positives to Ivanti