- Ensure EPS files are all up to date
- Endpoint Security Installation
- Endpoint Security Removal
- Endpoint Security Patch Installation
- Troubleshooting compatibility issues
- Troubleshooting Blue Screen (BSOD) Issues
- Product Licensing
- Registry Keys
- Database Tables
- Security Activity
- Gathering Information for Ivant Support
This troubleshooting guide covers common scenarios that require troubleshooting assistance. The first step towards being able to troubleshoot Endpoint Security effectively is education. It is recommended to read some of the materials that explain Endpoint Security. A good starting point is the help file. In addition How to get started with Ivanti Endpoint Security - Application Control is recommended.
Ensure EPS files are all up to date
The number one most important step is ensuring you are running the most recent EPS files. Compare the files in the Program Files (x86)\LDCLIENT\HIPS folder on the client with those in the most recent available patch. In addition compare C:\Windows\System32\Drivers\LDSECDRV.SYS. This is the LANDESK Endpoint Security driver.
A large number of cases are resolved by updating to the latest EPS version. Many cases are reported as being patch X when only the core has been updated to patch X and the client is actually running an old version of Ivanti EPS.
For further information on installing an Ivanti Endpoint Security patch, see How to properly install an Ivanti Endpoint Security component patch
The Endpoint Security settings should be configured as desired prior to the installation of Ivanti Endpoint Security. The settings are updated on the client when Vulscan runs and a change is detected in the setting on the core. As settings are updated on the core they are updated on the client when a vulnerability scan runs. A change settings task can also be used to refresh the client settings. In addition from the client "Run" command you can run "vulscan /changesettings /showui".
Endpoint Security uses several settings files:
Files in the client ProgramData\Vulscan directory
DCMBehavior_Corename_Revision#.xml - Device Control Behavior
Example file: DCMBehavior_LDMS10_v602.xml
(Click image for full size)
EPSBehavior_Corename_Revision#.xml - Top level Endpoint Security Behavior
Example file: EPSBehavior_LDMS10_v606.xml
LDFBehavior_Corename_Revision#.xml - Ivanti EPS Firewall Behavior
Example file: LDFBehavior_LDMS10_v604.xml
(Click image for full size)
TrustedFileList_CoreName_Revision#.xml - Ivanti EPS Trusted File list
Example file: TrustedFileList_LDMS10_v605.xml
(Click image for full size)
Settings Registry key
The behaviors that the client is using can be viewed in the client registry:
(Click image for full size)
Changing EPS Settings
EPS settings can be changed or refreshed by doing a Change Settings task from within the Agent Settings Tool. This tool can be accessed by doing the following steps:
- Open the Agent Settings tool on the Core Server from the tool group Security and Compliance
- Click on the Create a task drop-down (Calendar and clock icon) and select Change settings. This will open up a Patch and Compliance - change settings task dialog
(Click images for full size)
- Select either Keep agent's current settings to force a refresh on the client (Useful if you have gone in and changed something to the existing client setting) or select a different EPS setting in the drop-down menu where it says Keep gent's current settings
in order to switch from one EPS setting to the other.
- Select other task options as desired
- Click Save
A settings update can be initiated from a client by typing "Vulscan /changesettings /showui" from the Run command line.
Endpoint Security Installation
Endpoint Security installation activity is logged in C:\ProgramData\LANDESK\Log\vulscan#.log. You will need to open the different vulscan logs and look for a command line like this:
Command line: /installhips /noupdate /nosync /rebootaction=never /showui=false
There are three ways to install Ivanti Endpoint Security:
Include in Agent Configuration
- Within the Agent Configuration tool (in the Configuration tool group) select Agent Configuration
- Select the desired configuration or create a new agent configuration
- Select the Endpoint Security agent component from within the Start group
- Under the Distribution and Patch section of the tree expand Security and Compliance and select Endpoint Security
- Select the desired Endpoint Security configuration or select Configure and New to create a new configuration
- Click Save
- Schedule Agent deployment as typically scheduled.
Schedule an Install/Update security components task after the agent is already installed
- Open the Agent Settings tool from within the Configuration or Security and Compliance tool group
- Select the Create a task dropdown (Calendar with clock icon).
- Select Install/Update Security Components
- The Patch and Compliance install/update security components task window will appear
- Check the box next to Endpoint Security and select the desired Endpoint Security setting.
- Change other Task Parameters as desired and click Save
- Add clients to the task and schedule it as desired.
Run installation command from client
- Select the Start menu on the client and select Run
- Type in vulscan /installeps /showui and press enter
- At this point Ivanti Endpoint Security will install
- The EPS installation will require a reboot in order to install the driver
(Note: This method will use the EPS configuration that is set as default on the core server)
Endpoint Security Removal
Removing Endpoint Security is similar to the installation of Endpoint Security. The steps above are applicable, however, you will use a Remove security components task instead of the Install/Update Security Components task. Or you will use the vulscan /removeeps /showui command on the client.
In addition, you can reinstall the agent and not include Ivanti EPS as a method for removing LANDESK EPS.
Removing Ivanti Ivanti Endpoint Security may require a reboot to remove the driver
Endpoint Security Patch Installation
Troubleshooting compatibility issues
Occasionally conflicts with third-party drivers and/or applications can cause a conflict with Ivanti Endpoint security. Considering the current installed base of Ivanti Endpoint Security, blue screen incidents have been very limited.
This often can occur when a virtual device driver from another program is updated, or when the third party program behaves in such a way that causes an unexpected exception.
Most often the compatibility issue will present itself as a Blue Screen (BSOD).
When troubleshooting a blue screen, always ensure that the client is up to date with the latest EPS patches from Ivanti. In addition, if the Blue screen does not show LDSECDRV.SYS as the driver causing the issue, investigate the driver file name and see what other products exist that use that filename.
Troubleshooting Blue Screen (BSOD) Issues
Ivanti Endpoint Security is included in a Security Suite subscription, no other licensing is required.
In addition the following registry key exists: HKLM\Software\LANDESK\HIPS
Ivanti EPS uses the following database tables:
- FileInfo (Ivanti EPM Inventory scanner gathers file information and returns it to the core)
- HIPS (Stores the last status of the EPS service - Running or Stopped)
- PatchHistory (Security Activity information)
When an event happens with Ivanti Endpoint Security (Application blocked, device blocked, startup module added, etc) this information is sent to the core server and is then able to be viewed within the Security Activity tool and is stored in the database.
How actions are sent from the Client to the core server
Whenever an action takes place (A device is blocked, shadow copy activity takes place, etc) this activity is recorded in the ActionHistory.(ClientIPAddress).ID#.xml file. If no further activity takes place within 2 minutes, Softmon will send this information to the core server. Otherwise, every time Vulscan runs it gathers the ActionHistory information and sends it to the core server. This ActionHistory information gets stored in the SecurityAction table in the database and is displayed in the Security Activity window. After the ActionHistory is sent, the .XML is renamed to .SENT.XML. 11 copies of this file are kept on the client. .sent and then .sent #'s 1-10.
If ActionHistory is sent during a Vulnerability Scan, this action will be logged in the Vulscan.log file
If ActionHistory is sent via Softmon, this is logged in the Softmon.log file
The following SQL query will return all of the Endpoint Security related activity.
select * from patchhistory where Actioncode IN (81,82,83,84,85,86,87,88,89,90)
List of Endpoint Security Action codes and meaning:
100 Unauthorized file access
101 File recertification
102 Network connection event
103 Network server event
104 Application modification in memory
105 Setup process alert
106 Unauthorized registry modification
109 Unauthorized executable file modification
110 New module added to startup
111 Process buffer overrun
113 Unauthorized execution
114 Uncertified e-mail connection
115 Unauthorized volume
116 New device seen (console inventory purpose)
117 Unauthorized CD/DVD
118 File shadowcopy event
119 Shadowcopy failed due to file oversize
121 DCM temporarily bypassed through password
122 Location awareness - Undefined location found
123 Hardware Key-logger detected
124 EPS config refreshed
125 File shadowcopy using encarchive
126 Files added to certification db
127 Files replaced in certification db
128 Unknown digital signer seen (console learning purpose)
129 Application Control exception user request
130 Monitored folder modification
131 Ivanti Firewall exception user request
- 2017.x only:
132 Write attempt on a physical drive
133 Suspicious file modification
134 Attempt to modify a Ivanti protected file/registry key
Gathering Information for Ivant Support
Debug Log Files
- Open the Endpoint Security GUI by clicking on the EPS system tray icon.Hold LSHIFT (left shift key) + LCTRL (left control key), then click the Drop-down Menu in the upper right (next to the gear icon) to reveal the Extended Menu
- After reproducing the issue, click the Drop-down Menu using LSHIFT and LCTRL and choose Generate debug logs. The debug logs will be saved to your Desktop as eps-logs.zip
The eps-logs.zip file will contain the required information to send to support for troubleshooting.
- Once done generating the Debug Logs, click the Drop-down Menu and choose Disable debug mode.
Turning On/Off Debug Log Files via command line
Turn on debug logging from command line: sc.exe control ldsecsvc 139
Turn off debug logging from command line: sc.exe control ldsecsvc 140
Export Endpoint Security Settings
By exporting the Endpoint Security settings from your core server the Ivanti technician can import your settings into his/her environment and attempt to understand your issue more thoroughly.
Steps to Export Endpoint Security Settings
- From within the Configuration group open the Agent Settings tool.
- Navigate to Security -> All Agent Settings and Endpoint Security
- In the right hand pane right-click the EPS setting in question and select Export.
This will export a .LDMS file that will contain the top-level Endpoint Security setting and all subcomponent settings including Trusted File lists if they are being used. So there is no need to send separate exports of Application Control settings, Device Control settings, etc.
Memory Dump from Blue Screen
If the issue is a Blue Screen error (BSOD) follow these instructions to gather the MEMORY.DMP file to provide to Ivanti support.