How to troubleshoot Ivanti Endpoint Security

Version 24

    Verified Product Versions

    Endpoint Manager 9.6Endpoint Manager 2016.xEndpoint Manager 2017.xEndpoint Manager 2018.x


    This troubleshooting guide covers common scenarios that require troubleshooting assistance.  The first step towards being able to troubleshoot Endpoint Security effectively is education.  It is recommended to read some of the materials that explain Endpoint Security.  A good starting point is the help file.  In addition How to get started with Ivanti Endpoint Security - Application Control is recommended.


    Ensure EPS files are all up to date


    The number one most important step is ensuring you are running the most recent EPS files.  Compare the files in the Program Files (x86)\LDCLIENT\HIPS folder on the client with those in the most recent available patch.  In addition compare C:\Windows\System32\Drivers\LDSECDRV.SYS.  This is the LANDESK Endpoint Security driver.


    A large number of cases are resolved by updating to the latest EPS version.  Many cases are reported as being patch X when only the core has been updated to patch X and the client is actually running an old version of Ivanti EPS.

    For further information on installing an Ivanti Endpoint Security patch, see How to properly install an Ivanti Endpoint Security component patch




    The Endpoint Security settings should be configured as desired prior to the installation of Ivanti Endpoint Security.  The settings are updated on the client when Vulscan runs and a  change is detected in the setting on the core.   As settings are updated on the core they are updated on the client when a vulnerability scan runs.  A change settings task can also be used to refresh the client settings.  In addition from the client "Run" command you can run "vulscan /changesettings /showui".


    Settings files


    Endpoint Security uses several settings files:


    Files in the client ProgramData\Vulscan directory

    DCMBehavior_Corename_Revision#.xml - Device Control Behavior

    Example file: DCMBehavior_LDMS10_v602.xml

                (Click image for full size)


    EPSBehavior_Corename_Revision#.xml - Top level Endpoint Security Behavior

    Example file: EPSBehavior_LDMS10_v606.xml



    LDFBehavior_Corename_Revision#.xml - Ivanti EPS Firewall Behavior

    Example file: LDFBehavior_LDMS10_v604.xml


                (Click image for full size)


    TrustedFileList_CoreName_Revision#.xml - Ivanti EPS Trusted File list


    Example file: TrustedFileList_LDMS10_v605.xml


                        (Click image for full size)



    Settings Registry key

    The behaviors that the client is using can be viewed in the client registry:



                              (Click image for full size)

    Changing EPS Settings

    EPS settings can be changed or refreshed by doing a Change Settings task from within the Agent Settings Tool.  This tool can be accessed by doing the following steps:


      1. Open the Agent Settings tool on the Core Server from the tool group Security and Compliance
      2. Click on the Create a task drop-down (Calendar and clock icon) and select Change settings.  This will open up a Patch and Compliance - change settings task dialog             
                                                  (Click images for full size)

      3. Select either Keep agent's current settings to force a refresh on the client (Useful if you have gone in and changed something to the existing client setting) or select a different EPS setting in the drop-down menu where it says Keep gent's current settings
        in order to switch from one EPS setting to the other.
      4. Select other task options as desired
      5. Click Save

    A settings update can be initiated from a client by typing "Vulscan /changesettings /showui" from the Run command line.

    Endpoint Security Installation


    Endpoint Security installation activity is logged in C:\ProgramData\LANDESK\Log\vulscan#.log.  You will need to open the different vulscan logs and look for a command line like this:
    Command line: /installhips /noupdate /nosync /rebootaction=never /showui=false



    There are three ways to install Ivanti Endpoint Security:


    Include in Agent Configuration


      1. Within the Agent Configuration tool (in the Configuration tool group) select Agent Configuration
      2. Select the desired configuration or create a new agent configuration
      3. Select the Endpoint Security agent component from within the Start group
      4. Under the Distribution and Patch section of the tree expand Security and Compliance and select Endpoint Security
      5. Select the desired Endpoint Security configuration or select Configure and New to create a new configuration
      6. Click Save
      7. Schedule Agent deployment as typically scheduled.


    Schedule an Install/Update security components task after the agent is already installed


      1. Open the Agent Settings tool from within the Configuration or Security and Compliance tool group
      2. Select the Create a task dropdown (Calendar with clock icon).
      3. Select Install/Update Security Components
      4. The Patch and Compliance install/update security components task window will appear
      5. Check the box next to Endpoint Security and select the desired Endpoint Security setting.
      6. Change other Task Parameters as desired and click Save
      7. Add clients to the task and schedule it as desired.


    Run installation command from client

      1. Select the Start menu on the client and select Run
      2. Type in vulscan /installeps /showui and press enter
      3. At this point Ivanti Endpoint Security will install
      4. The EPS installation will require a reboot in order to install the driver

    (Note: This method will use the EPS configuration that is set as default on the core server)


    Endpoint Security Removal


    Removing Endpoint Security is similar to the installation of Endpoint Security.  The steps above are applicable, however, you will use a Remove security components task instead of the Install/Update Security Components task.  Or you will use the vulscan /removeeps /showui command on the client.

    In addition, you can reinstall the agent and not include Ivanti EPS as a method for removing LANDESK EPS.

    Removing Ivanti Ivanti Endpoint Security may require a reboot to remove the driver



    Endpoint Security Patch Installation


    How to properly install an Ivanti  Endpoint Security component patch



    Troubleshooting compatibility issues

    Occasionally conflicts with third-party drivers and/or applications can cause a conflict with Ivanti Endpoint security.  Considering the current installed base of Ivanti Endpoint Security, blue screen incidents have been very limited.


    This often can occur when a virtual device driver from another program is updated, or when the third party program behaves in such a way that causes an unexpected exception.


    Most often the compatibility issue will present itself as a Blue Screen (BSOD).


    When troubleshooting a blue screen, always ensure that the client is up to date with the latest EPS patches from Ivanti.  In addition, if the Blue screen does not show LDSECDRV.SYS as the driver causing the issue, investigate the driver file name and see what other products exist that use that filename.



    Troubleshooting Blue Screen (BSOD) Issues


    How to troubleshoot bluescreen issues



    Product Licensing


    Ivanti Endpoint Security is included in a Security Suite subscription, no other licensing is required.


    Registry Keys




    In addition the following registry key exists: HKLM\Software\LANDESK\HIPS



    Database Tables


    Ivanti EPS uses the following database tables:

      • EPSRepCache
      • FileInfo (Ivanti EPM Inventory scanner gathers file information and returns it to the core)
      • HIPS (Stores the last status of the EPS service - Running or Stopped)
      • PatchHistory (Security Activity information)
      • ShadowCopyAction


    Security Activity


    When an event happens with Ivanti Endpoint Security (Application blocked, device blocked, startup module added, etc) this information is sent to the core server and is then able to be viewed within the Security Activity tool and is stored in the database.


    How actions are sent from the Client to the core server

    Whenever an action takes place (A device is blocked, shadow copy activity takes place, etc) this activity is recorded in the ActionHistory.(ClientIPAddress).ID#.xml file.  If no further activity takes place within 2 minutes, Softmon will send this information to the core server.  Otherwise, every time Vulscan runs it gathers the ActionHistory information and sends it to the core server.  This ActionHistory information gets stored in the SecurityAction table in the database and is displayed in the Security Activity window.  After the ActionHistory is sent, the .XML is renamed to .SENT.XML.  11 copies of this file are kept on the client.  .sent and then .sent #'s 1-10.


    If ActionHistory is sent during a Vulnerability Scan, this action will be logged in the Vulscan.log file

    If ActionHistory is sent via Softmon, this is logged in the Softmon.log file


    The following SQL query will return all of the Endpoint Security related activity.

    select * from patchhistory where Actioncode IN (81,82,83,84,85,86,87,88,89,90)


    List of Endpoint Security Action codes and meaning:


    100  Unauthorized file access

    101  File recertification

    102  Network connection event

    103  Network server event

    104  Application modification in memory

    105  Setup process alert

    106  Unauthorized registry modification

    109  Unauthorized executable file modification

    110  New module added to startup

    111  Process buffer overrun

    113  Unauthorized  execution

    114  Uncertified e-mail connection

    115  Unauthorized volume

    116  New device seen (console inventory purpose)

    117  Unauthorized CD/DVD

    118  File shadowcopy event

    119  Shadowcopy failed due to file oversize

    121  DCM temporarily bypassed through password

    122  Location awareness - Undefined location found

    123  Hardware Key-logger detected

    124  EPS config refreshed

    125  File shadowcopy using encarchive

    126  Files added to certification db

    127  Files replaced in certification db

    128  Unknown digital signer seen (console learning purpose)

    129  Application Control exception user request

    130  Monitored folder modification

    131  Ivanti Firewall exception user request


    1. 2017.x only:


    132  Write attempt on a physical drive

    133  Suspicious file modification

    134  Attempt to modify a Ivanti protected file/registry key


    Gathering Information for Ivant Support

    Debug Log Files

      1. Open the Endpoint Security GUI by clicking on the EPS system tray icon.Hold LSHIFT (left shift key) + LCTRL (left control key), then click the Drop-down Menu in the upper right (next to the gear icon) to reveal the Extended Menu 

      2. After reproducing the issue, click the Drop-down Menu using LSHIFT and LCTRL and choose Generate debug logs.  The debug logs will be saved to your Desktop as

        The file will contain the required information to send to support for troubleshooting.

      3. Once done generating the Debug Logs, click the Drop-down Menu and choose Disable debug mode.


    Turning On/Off Debug Log Files via command line

    Turn on debug logging from command line: sc.exe control ldsecsvc 139

    Turn off debug logging from command line: sc.exe control ldsecsvc 140


    Export Endpoint Security Settings


    By exporting the Endpoint Security settings from your core server the Ivanti technician can import your settings into his/her environment and attempt to understand your issue more thoroughly.


    Steps to Export Endpoint Security Settings


      1. From within the Configuration group open the Agent Settings tool.
      2. Navigate to Security -> All Agent Settings and Endpoint Security
      3. In the right hand pane right-click the EPS setting in question and select Export.
        This will export a .LDMS file that will contain the top-level Endpoint Security setting and all subcomponent settings including Trusted File lists if they are being used.  So there is no need to send separate exports of Application Control settings, Device Control settings, etc.


    Memory Dump from Blue Screen


    If the issue is a Blue Screen error (BSOD) follow these instructions to gather the MEMORY.DMP file to provide to Ivanti support.