How to troubleshoot Ivanti Antivirus license issues

Version 22

    Verified Product Versions

    LANDESK Management Suite 9.6LANDESK Management Suite 2016.xLANDESK Endpoint Manager 2017.x

    Troubleshooting Ivanti Antivirus licensing issues

     

    This article will describe the technical process that the administrator and Ivanti Antivirus must take in order to successfully install and activate a Ivanti Antivirus key on a client.

     

    Note: The Ivanti Antivirus product does not contain the Kaspersky Device Control or Vulnerability Detection features as these features are covered by Ivanti EPS Device Manager and Patch and Compliance Manager.

     

     

     

    How to obtain an Ivanti Antivirus license key

    The license file is a file of the following type xxxxxxxx.key.  It contains service information required for the correct functioning of Ivanti Antivirus (Based on Kaspersky Endpoint Security 10) as well as the following data:

     

    • Information about the vendor of this version (company name and contact information)
    • Technical support information (who provides technical support and how to get it)
    • License key release date
    • License title and number
    • Information about functionality of the components
    • License expiration date

     

    Open a case with Ivanti support.

     

    To log a case via the web:

    1. Go to https://support.ivanti.com/CaseLogging.aspx and login
    2. Fill out the request form and submit
      Please be sure to select a category of "Product activation / Licensing" so your case is routed to the correct team

    To log a case via the phone:

    1. Contact Ivanti Support by phone and select Option 1 for Product Activation/Licensing.
    2. Select option 1 again for LDMS/LDSS Licensing support.
    3. Give the Support Engineer your company account name and your contact information.
    4. The Support Engineer will provide a .key file via e-mail.

     

    Import License to Core

     

    The first step that needs to occur is to import an Ivanti Antivirus license into the core server.  You should have received a .ZIP file containing your .KEY file and a .PDF file that details the license information.

     

    The following should be done from an Ivanti Endpoint Manager Console:

     

    1. Extract the .ZIP file received from LANDESK Licensing or from your Sales Representative to a location you will remember.
    2. On the Core Server open the following tool: Security and Compliance -> Agent Settings -> Gear (Settings) drop-down -> Ivanti Antivirus License information
      LicenseInformationWindow.jpg
    3. The following window will open:
      ImportedLicenseInformation.jpg
    4. Browse to the .KEY file unzipped in Step 1.

      Now this window will contain the date the license was created, the license number, and the license information number.

      License Expiration Information can be viewed in several places:

      a. Security Activity tool under Ivanti Antivirus -> Licenses
      LicenseSecurityActivity.jpg
      b. On the client in the Ivanti Antivirus program window under the "License" link at the bottom of the Window.
      ClientLicenseInformation.jpg
    5. After the new license key is imported the file is renamed to LDAV.KEY and gets copied to the LDLOGON\AVCLIENT\INSTALL\KEY folder on the Core Server.

     

    What could go wrong?

    • Failure to write the LDAV.KEY to the LDLOGON\AVClient\Install\Key folder on the core server.  (Check rights, Console.exe.log, etc)

     

    Update of licenses on Managed Clients

     

    1. When the next Security and Compliance (vulscan) scan is run on the client, the vulscan self update feature downloads LDAV.KEY and places it into the LDCLIENT directory.
    2. Vulscan.exe copies LDAV.KEY to the LDCLIENT\Antivirus\Install\Key folder on the client.
    3. Every 5 minutes the Ivanti Antivirus Service compares the hash between the LDCLIENT\Antivirus\Install\Key\LDAV.KEY and LDCLIENT\Antivirus\LDAV.KEY.  (Note: To have this update instantly you can restart the Ivanti Antivirus service)
      (LDAV.KEY in the LDCLIENT\Antivirus folder is the active key that the product uses)
    4. If a difference is found between LDCLIENT\Antivirus\Install\Key\LDAV.KEY and LDCLIENT\Antivirus\LDAV.KEY the license activation process will occur.  This involves invoking the Kaspersky licensing process that imports the key information into the product.
    5. The license information is stored in one of the following registry keys on the client depending on whether the OS is 32-bit or 64-bit

      HKLM\Software\LANDesk\managementsuite\WinClient\Antivirus\License
      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\landesk\managementsuite\WinClient\Antivirus\License

                     

     

    Manually updating the license

     

    It is possible to manually update the Ivanti Antivirus license.  This can be useful for remote users who can't connect via VPN or CSA to pull down the new key from the core server automatically.

    1. On the core server, locate the current ldav.key file in C:\Program Files\LANDesk\ManagementSuite\ldlogon\AVClient\Install\key
    2. Copy this key to the client (or send it to your remote user by secure email, FTP etc.) and place it in C:\Program Files (x86)\LANDesk\LDClient\Antivirus\install\key
    3. Wait 5 minutes for the Ivanti Antivirus Service to compare the keys, or simply restart the service.

     

    What could go wrong?

    • Failure to download the LDAV.KEY from the core server.  (This should be noted in the Vulscan.log file on the client).
    • Failure to copy the LDAV.KEY file from the LDCLIENT directory to the LDCLIENT\Antivirus\Install\Key folder on the client (This should be noted in the Vulscan.log file on the client)
      This could be caused by the LDAV.KEY file being read-only.
    • Failure for the Ivanti Antivirus service to copy the LDAV.KEY from LDCLIENT\Antivirus\Install\Key folder to the LDCLIENT\Antivirus folder on the client (This would show in the \ProgramData\LANDESK\Log\LDAV.log file)
    • Failure to write the registry key information (HKLM\Software\LANDesk\managementsuite\WinClient\Antivirus\License or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\landesk\managementsuite\WinClient\Antivirus\License)
    • Failure to contact the WSVulnerabilityCore web service to send the Antivirus information.  (Vulscan.log and WSVulnerabilityCore.dll log files should be examined)
    • Failure to write the antivirus information to the Antivirus table in the database.  (WSVulnerabilityCore.dll.log on the core server should be examined, and the Antivirus table can be examined for information about that particular computer
      (Does that computer exist in the database?)
      Run a full inventory scan if it cannot be found.

     

     

    Reporting of Ivanti Antivirus information to the core server

     

    1. Antivirus information is sent to the core server using the PutLDAVTableData method using the WSVulnerabilityCore web service when Vulscan runs or every 5 minutes by the Ivanti Antivirus Service. 

      The following information is sent and is shown in the Vulscan.log in the following manner::

      Thu, 17 Sep 2015 10:52:00 --- Antivirus table data ---------------------------------------
      Thu, 17 Sep 2015 10:52:00 ProductName: LANDESK Antivirus
      Thu, 17 Sep 2015 10:52:00 AutoProtect: On
      Thu, 17 Sep 2015 10:52:00 ProductVersion: 10.2.1.23
      Thu, 17 Sep 2015 10:52:00 EngineVersion: 6.8.0.27
      Thu, 17 Sep 2015 10:52:00 DefVersion: 
      Thu, 17 Sep 2015 10:52:00 PubDate: 2015-09-17 07:31:00 (1442496660)
      Thu, 17 Sep 2015 10:52:00 DefInstDate: 2015-09-17 09:28:50 (1442503730)
      Thu, 17 Sep 2015 10:52:00 Empty CTime: 1969-12-31 17:00:00 (0)
      Thu, 17 Sep 2015 10:52:00 LastVirusScan: 2015-09-17 09:29:15 (1442503755)
      Thu, 17 Sep 2015 10:52:00 LastFullVirusScan: 2015-09-15 12:50:21 (1442343021)
      Thu, 17 Sep 2015 10:52:00 LastQuickVirusScan: 2015-09-17 09:29:15 (1442503755)
      Thu, 17 Sep 2015 10:52:00 StartFullVirusScan: 2015-09-15 12:47:44 (1442342864)
      Thu, 17 Sep 2015 10:52:00 StartQuickVirusScan: 2015-09-17 09:28:59 (1442503739)
      Thu, 17 Sep 2015 10:52:00 FullVirusScanCancelled: 0
      Thu, 17 Sep 2015 10:52:00 QuickVirusScanCancelled: 0
      Thu, 17 Sep 2015 10:52:00 AgentRunning: True
      Thu, 17 Sep 2015 10:52:00 PatternServer: YourCoreServerName
      Thu, 17 Sep 2015 10:52:00 LicenseExpirationDate: 2016-09-13 23:59:59 (1473832799)
      Thu, 17 Sep 2015 10:52:00 LicensePeriod: 362
      Thu, 17 Sep 2015 10:52:00 LicenseNumber: XXXX-XXXXX-XXXXXXX
      Thu, 17 Sep 2015 10:52:00 LicenseProductName:
      Thu, 17 Sep 2015 10:52:00 LicenseMaxCount: 2000
      Thu, 17 Sep 2015 10:52:00 --------------------------------------------------------------------------
      Thu, 17 Sep 2015 10:52:00 In SendRequest: Action = SOAPAction: "http://tempuri.org/PutLdavTableData"
      Thu, 17 Sep 2015 10:52:00 SendRequest: SOAPAction: "http://tempuri.org/PutLdavTableData"
    2. This will appear in the WSVulnerabilityCore.dll log on the core as follows:
      09/17/2015 09:52:00 INFO 13484:3     RollingLog : LdavTableData.Update:  Updated a record for Antivirus_Idn = 1
    3. This information is placed into the Antivirus table in the Ivanti IEM database.

     

    What could go wrong?

    • Failure to write the registry key information (HKLM\Software\LANDesk\managementsuite\WinClient\Antivirus\License or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\landesk\managementsuite\WinClient\Antivirus\License)
    • Failure to contact the WSVulnerabilityCore web service to send the Antivirus information.  (Vulscan.log and WSVulnerabilityCore.dll log files should be examined)
    • Failure to write the antivirus information to the Antivirus table in the database.  (WSVulnerabilityCore.dll.log on the core server should be examined, and the Antivirus table can be examined for information about that particular computer
      (Does that computer exist in the database?)
      Run a full inventory scan if it cannot be found.

     

    When does Ivanti Antivirus check to see if the license key is valid?

     

    • During Ivanti Antivirus installation
    • When the Ivanti Antivirus service is started
    • Every 5 minutes after Ivanti Antivirus service is started
    • After pattern file update is performed

     

    When troubleshooting client activation issues, the following log files should be consulted:

     

    • LDAV.LOG - Shows activation activity from the Ivanti Antivirus service start or the 5 minute interval check
    • LDAV_UPDATE.LOG - Shows activation activity if Ivanti Antivirus is activated during pattern file update
    • LDAV_INSTALL.LOG - Shows activation activity if Ivanti Antivirus is activated during the installation
    • Vulscan.log - Shows download and copy of key file
    • WSVulnerabilityCore.dll log - Shows reporting of Ivanti Antivirus information as received from Vulscan or the Ivanti Antivirus service

     

    Error: "Black list of keys is corrupted" is displayed in the Licensing window

     

    What is a "black" list of keys

     

    Black list of keys is a database that contains information about key files that can no longer be used for activation of Ivanti Antivirus. The keys are blocked due to following reasons:

    • Malfunctioning.
    • The key was activated on a computer with incorrect system time or date.
    • The key was stolen.
    • The key was available on pirate servers for free download.

     

    The database of such keys is located in a file named black.lst, which is downloaded and saved with the regular updates. The file is required for correct functioning of Ivanti Antivirus products.

     

    The 'black list' of key files is a file named black.lst. This file is downloaded and saved along with databases (anti-virus, anti-spam, network attacks).Ivanti Antivirus cannot function without a 'black list' file.

     

    Kaspersky Lab software stops functioning and notifies hereof:

    • if there is no black.lst file on your PC;
    • if the file black.lst is damaged;
    • if the Kaspersky Anti-Virus you have installed is using a key file from the 'black list';

    If there is no black.lst file on your PC or it is damaged, start an update task to download it again. Otherwise Ivanti Antivirus protection will not function.

     

    Resolution

     

    1. Create a new Ivanti Antivirus setting that allows the user to change the settings.

      AllowChangeSettings.png
    2. Push a Change Settings task to the client(s) and change these updated settings to the affected clients.
      (You can change the existing setting as well, but this opens up the risk that during your time that you are repairing this issue all client computers using this setting will allow the user to change settings)
    3. Go to Advanced Settings within the Ivanti Client UI and uncheck "Enable Self Defense".

      TurnOffAVSelfDefense.jpg

    4. Delete the blst*.xml file(s) from C:\Program Files (x86)\LANDESK\LDClient\Antivirus\temp_bases8\landesk\updates on the client.
    5. Update the Antivirus pattern files on the core server.
    6. Update the pattern files on the client.
    7. Change the AV settings back to the original to not allow the user the user to change settings.

     

    If this resolution does not help, it may be necessary to reinstall Ivanti Antivirus on the client computer.   This can be done through an "Install/Update Security Settings" task from within the Agent Settings tool.