How to troubleshoot LANDESK Endpoint Security

Version 18

    Verified Product Versions

    LANDESK Management Suite 9.5LANDESK Management Suite 9.6LANDESK Management Suite 2016.x

     

    This troubleshooting guide covers common scenarios that require troubleshooting assistance.  The first step towards being able to troubleshoot Endpoint Security effectively is education.  It is recommended to read some of the materials that explain Endpoint Security.  A good starting point is the help file.  In addition How to get started with LANDESK Endpoint Security - Application Control is recommended.

     


    Ensure EPS files are all up to date

     

    The number one most important step is ensuring you are running the most recent EPS files.  Compare the files in the Program Files (x86)\LDCLIENT\HIPS folder on the client with those in the most recent available patch.  In addition compare C:\Windows\System32\Drivers\LDSECDRV.SYS.  This is the LANDESK Endpoint Security driver.

     

    A large number of cases are resolved by updating to the latest EPS version.  Many cases are reported as being patch X when only the core has been updated to patch X and the client is actually running an old version of LANDESK EPS.

    For further information on installing a LANDESK Endpoint Security patch, see How to properly install a LANDESK Endpoint Security component patch

     


    Settings

     

    The Endpoint Security settings should be configured as desired prior to the installation of LANDESK Endpoint Security.  The settings are updated on the client when Vulscan runs and a  change is detected in the setting on the core.   As settings are updated on the core they are updated on the client when a vulnerability scan runs.  A change settings task can also be used to refresh the client settings.  In addition from the client "Run" command you can run "vulscan /changesettings /showui".

     

    Settings files

     

    Endpoint Security uses several settings files:

     

    Files in the client ProgramData\Vulscan directory


    ─────────────────────────────────────────────────
    DCMBehavior_Corename_Revision#.xml - Device Control Behavior

    Example file: DCMBehavior_LDMS10_v602.xml

                (Click image for full size)

    ─────────────────────────────────────────────────

    EPSBehavior_Corename_Revision#.xml - Top level Endpoint Security Behavior

    Example file: EPSBehavior_LDMS10_v606.xml

    EPSBehaviorXML.jpg

    ─────────────────────────────────────────────────

    LDFBehavior_Corename_Revision#.xml - LANDESK Firewall Behavior

    Example file: LDFBehavior_LDMS10_v604.xml

    LDFBehaviorXML.jpg

                (Click image for full size)

    ─────────────────────────────────────────────────

    TrustedFileList_CoreName_Revision#.xml - LANDESK Trusted File list

     

    Example file: TrustedFileList_LDMS10_v605.xml

    TrustedListBehaviorXML.jpg

                        (Click image for full size)

    ───────────────────────────────────────

     

    Settings Registry key

    The behaviors that the client is using can be viewed in the client registry:

     

    EPS-Settings-Registry.jpg

                              (Click image for full size)


    Changing EPS Settings


    EPS settings can be changed or or refreshed by doing a Change Settings task from within the Agent Settings Tool.  This tool can be accessed by doing the following steps:

     

      1. Open the Agent Settings tool on the Core Server from the tool group Security and Compliance
      2. Click on the Create a task dropdown (Calendar and clock icon) and select Change settings.  This will open up a Patch and Compliance - change settings task dialog             
        ChangeSettingsDropdown.jpgChangeSettings.jpg
                                                  (Click images for full size)

      3. Select either Keep agent's current settings to force a refresh on the client (Useful if you have gone in and changed something to the existing client setting) or select a different EPS setting in the dropdown menu where it says Keep gent's current settings
        in order to switch from one EPS setting to the other.
      4. Select other task options as desired
      5. Click Save

    A settings update can be initiated from a client by typing "Vulscan /changesettings /showui" from the Run command line.


    Endpoint Security Installation

     

    Endpoint Security installation activity is logged in C:\ProgramData\LANDESK\Log\vulscan#.log.  You will need to open the different vulscan logs and look for a command line like this:
    Command line: /installhips /noupdate /nosync /rebootaction=never /showui=false

                         

     

    There are three ways to install LANDESK Endpoint Security:

     

    Include in Agent Configuration

     

      1. Within the Agent Configuration tool (in the Configuration tool group) select Agent Configuration
      2. Select the desired configuration or create a new agent configuration
      3. Select the Endpoint Security agent component from within the Start group
      4. Under the Distribution and Patch section of the tree expand Security and Compliance and select Endpoint Security
      5. Select the desired Endpoint Security configuration or select Configure and New to create a new configuration
      6. Click Save
      7. Schedule Agent deployment as typically scheduled.

     

    Schedule an Install/Update security components task after the agent is already installed

     

      1. Open the Agent Settings tool from within the Configuration or Security and Compliance tool group
      2. Select the Create a task dropdown (Calendar with clock icon).
      3. Select Install/Update Security Components
      4. The Patch and Compliance install/update security components task window will appear
      5. Check the box next to Endpoint Security and select the desired Endpoint Security setting.
      6. Change other Task Parameters as desired and click Save
      7. Add clients to the task and schedule it as desired.

     

    Run installation command from client

      1. Select the Start menu on the client and select Run
      2. Type in vulscan /installeps /showui and press enter
      3. At this point LANDESK Endpoint Security will install
      4. The EPS installation will require a reboot in order to install the driver

    (Note: This method will use the EPS configuration that is set as default on the core server)

     


    Endpoint Security Removal

     

    Removing Endpoint Security is similar to the installation of Endpoint Security.  The steps above are applicable, however you will use a Remove security components task instead of the Install/Update Security Components task.  Or you will use the vulscan /removeeps /showui command on the client.

    In addition you can reinstall the agent and not include LANDESK as a method for removing LANDESK EPS.

    Removing LANDESK Endpoint Security may require a reboot to remove the driver

     

     


    Endpoint Security Patch Installation

     

    How to properly install a LANDESK Endpoint Security component patch

     

     


    Troubleshooting compatibility issues

    Occasionally conflicts with third-party drivers and/or applications can cause a conflict with LANDESK Endpoint security.  Considering the current installation base of LANDESK Endpoint Security, blue screen incidents have been limited.

     

    This often can occur when a virtual device driver from another program is updated, or when the third party program behaves in such a way that causes an unexpected exception.  Issues reported within the last year have only been seen with the following programs:

     

    • Symantec Antivirus/Endpoint Protection products (Install latest LANDESK EPS patch and/or install latest Symantec maintenance update)
                                          (Click here for a Symantec article detailing the latest versions of their products)
    • HP Proliant Server (Disable NX in BIOS to resolve)
    • Nvidia Graphics Driver (Install latest LANDESK EPS patch and/or install latest Nvidia driver)
    • Citrix Receiver - Drivers in question: ctxusbm.sys, ucx01000.sys
    • Aventail VPN - ngfileter.sys, upgrade to the latest versions of Aventail and LANDESK Endpoint Security

     

    Most often the compatibility issue will present itself as a Blue Screen (BSOD).

     

    When troubleshooting a blue screen, always ensure that the client is up to date with the latest EPS patches from LANDESK.  In addition, if the Blue screen does not show LDSECDRV.SYS as the driver causing the issue, investigate the driver file name and see what other products exist that use that filename.

     

     


    Troubleshooting Blue Screen (BSOD) Issues

     

    How to troubleshoot bluescreen issues

     

     


    Product Licensing

     

    LANDESK Endpoint Security is included in a Security Suite subscription, no other licensing is required.

     


    Registry Keys

     

    See https://community.landesk.com/docs/DOC-40681#jive_content_id_Settings_Registry_key

     

    In addition the following registry key exists: HKLM\Software\LANDESK\HIPS

     

     


    Database Tables

     

    LANDESK EPS uses the following database tables:

      • EPSRepCache
      • FileInfo (LANDESK Inventory scanner gathers file information and returns it to the core)
      • HIPS (Stores the last status of the EPS service - Running or Stopped)
      • PatchHistory (Security Activity information)
      • ShadowCopyAction

     


    Security Activity

     

    When an event happens with LANDESK Endpoint Security (Application blocked, device blocked, startup module added, etc) this information is sent to the core server and is then able to be viewed within the Security Activity tool and is stored in the database.

     

    How actions are sent from the Client to the core server

    Whenever an action takes place (A device is blocked, shadow copy activity takes place, etc) this activity is recorded in the ActionHistory.(ClientIPAddress).ID#.xml file.  If no further activity takes place within 2 minutes, Softmon will send this information to the core server.  Otherwise every time Vulscan runs, it gathers the ActionHistory information and sends it to the core server.  This ActionHistory information gets stored in the SecurityAction table in the database and is displayed in the Security Activity window.  After the ActionHistory is sent, the .XML is renamed to .SENT.XML.  11 copies of this file are kept on the client.  .sent and then .sent #'s 1-10.

     

    If ActionHistory is sent during a Vulnerability Scan, this action will be logged in the Vulscan.log file

    If ActionHistory is sent via Softmon, this is logged in the Softmon.log file

    ───────────────────────────────────────


    The following SQL query will return all of the Endpoint Security related activity.

    select * from patchhistory where Actioncode IN (81,82,83,84,85,86,87,88,89,90)

                 

     

     


    Gathering Information for LANDESK Support

    Debug Log Files

      1. Open the Endpoint Security GUI by clicking on the EPS system tray icon.Hold LSHIFT (left shift key) + LCTRL (left control key), then click the Drop-down Menu in the upper right (next to the gear icons) to reveal the Extended Menu 
        Ctrl-LeftShift.jpgEPSDebugMode.gif

      2. After reproducing the issue, click the Drop-down Menu using LSHIFT and LCTRL and choose Generate debug logs.  The debug logs will be saved to your Desktop as eps-logs.zip

        The eps-logs.zip file will contain the required information to send to support for troubleshooting.

      3. Once done generating the Debug Logs, click the Drop-down Menu and choose Disable debug mode.

     

    Export Endpoint Security Settings

     

    By exporting the Endpoint Security settings from your core server the LANDESK technician can import your settings into his/her environment and attempt to understand your issue more thoroughly.

     

    Steps to Export Endpoint Security Settings

     

      1. From within the Configuration group open the Agent Settings tool.
      2. Navigate to Security -> All Agent Settings and Endpoint Security
      3. In the right hand pane right-click the EPS setting in question and select Export.
        This will export a .LDMS file that will contain the top-level Endpoint Security setting and all subcomponent settings including Trusted File lists if they are being used.  So there is no need to send separate exports of Application Control settings, Device Control settings, etc.

     

    Memory Dump from Blue Screen

     

    If the issue is a Blue Screen error (BSOD) follow these instructions to gather the MEMORY.DMP file to provide to LANDESK support.