How to troubleshoot New Ivanti Antivirus 2017 (Bitdefender Engine)

Version 49

    Verified Product Versions

    Endpoint Manager 2017.xEndpoint Manager 2018.x

    How to troubleshoot the new Ivanti Antivirus (Bitdefender Engine)

     

    This document intends to go through the logical steps through the process of setting up your Update Server on your core down to troubleshooting common client issues.

     

     


    General Information

     

    Ivanti Antivirus 2017 Error Codes

     

    Further information is available here: About Ivanti Antivirus 2017 (Bitdefender Engine) Error Codes

     

     


    Preparing Network Appliances to allow Ivanti Antivirus 2017 traffic

     

    1. Ensure that your Core Server and clients will have access to the following URL: http://ivanti-60013e4c-1d97-4269-b5b7-625530f25c30.2d7dd.cdn.bitdefender.net/
    2. You will likely need to whitelist *.cdn.bitdefender.net or *.bitdefender.net on your firewall or other network security appliances.
    3. Be sure that the connection to the Cloud services is not blocked by the corporate firewall or network filtering solution. You should whitelist the nimbus.bitdefender.net address on port 443 and allow other addresses originated from there.   

      You can test the connection using telnet nimbus.bitdefender.net 443 or a web browser by accessing for example https://nimbus.bitdefender.net/url/status?url=http://ivanti.com

    4. It is also best to exclude your core server from caching information in Internet Caching appliances as it has been seen that quite often the caching appliance servers up outdated information when compared to the Core Server resulting in multiple issues.

    5. Make sure port 7074 is open and accessible on the Core Server.

     


    Product Licensing

     

    After purchasing the license/subscription for the new Ivanti Antivirus product and installing 2017.3 Service Update 2 on the core server, the following steps must be performed prior to deploying the new solution to your managed endpoints. If transitioning from the previous Ivanti Antivirus offering to the NEW Ivanti Antivirus offering, no additional purchase is required. You will need to consult with your Sales representative to ensure the license is updated.  In the event that these two licenses are not showing up, you need to reactivate your core server by going to the Start Menu on the Core Server and typing "Core Server Activation" and <Enter>.  After core server activation please verify one of the following sets of licenses exist:

    Ivanti EPM Version 2017.x

    • Ivanti Antivirus Manager 2017 License             
    • Ivanti Antivirus Manager 2017 Subscription


    Ivanti EPM Version 2018.xx

    • Ivanti Antivirus Manager 2018 License
    • Ivanti Antivirus Manager 2018 Subscription

    Note: Ivanti Antivirus 2017/2018 (Bitdefender engine) is licensed on a per-server basis and not per client.  The Security Activity tool will show "unknown" for these licenses or words to that effect.

     


    Installation of the Update Server on your Ivanti Core Server

    The update server cannot be installed on any other server other than the core server.

     

    1. Run a Download Updates manually with any item(s) selected. (Recommended: Download Ivanti 10.x.x Software Updates as it is a short process.
    2. After completion, reopen Download Updates.  The Ivanti Antivirus Core Installation Files option should be present.
    3. Check the box and run Download Updates again to get the needed antivirus install files.

     

    IvantiCoreAVFiles.jpg

    If at this point you don't have the Ivanti Antivirus Core Installation Files listed you will need to contact Ivanti Licensing Support to get your license updated.

     

    You should see the following UI after a successful install:

     

    AVSetupSuccess.jpg

     

    A successful log file will look like this after AVSETUP  installation:

    3356 4 2018-02-22 11:46:12Z INFO install pkg path: C:\Program Files\LANDesk\ManagementSuite\ldlogon\avclientbd\updateserverinstall\..\epsecurity_x64.exe

    3356 4 2018-02-22 11:46:59Z INFO install process exit code 0

    3356 4 2018-02-22 11:46:59Z INFO install update server successfully

    3356 4 2018-02-22 11:46:59Z WARN Failed to create shortcut.

    LinkSource:

    LinkDestDirectory:

    LinkName:

    3356 4 2018-02-22 11:47:01Z INFO Json request result:0

    3356 5 2018-02-22 11:47:01Z INFO response Json:{"response":{"data":{"UpdateServer":[{"@name":"SetProxySettings","error":0,"output":null}]}},"type":"epsdk"}

    3356 5 2018-02-22 11:47:01Z INFO set proxy for update server successfully!

     

     

     

    Possible Issues with AVSetup installation

     

    1. AVSETUP will fail to complete if it is run before the Ivanti Core Installation Files is downloaded in the patch content.  The AVSETUP file will look for epsecurity_x64.exe in the \\coreservername\ldlogon\avclientbd folder.  This file will not exist until the Core Installation files are downloaded.
    2. AVSETUP will not run if a competing and possibly conflicting anti-malware program is installed on the core server.  In most cases removal of that software would be recommended and replaced by the Ivanti Antivirus solution, however, we realize this is not always possible.

      You can make an XML edit to enable the AVSETUP to install anyway.  (However, Ivanti Support will not be responsible for conflicts in this case)

     

    Add the following line to \ManagementSuite\LDLogon\avclientbd\updateserverinstall\InstallerConfig.xml

    <skipRemOtherProducts var="SkipCompetitors">1</skipRemOtherProducts>

     

    Use this with caution.  This may cause conflicts if you end up having two anti-malware products on the core at the same time.

     

     

    AVSetup Installation Logging

     

    AVSetup does a full scan of the Core Server during installation and installs the

     

    C:\ProgramData\LANDesk\Install\Log\avsetup.log

     

    Core Side Services

     

    AVSetup creates four services on the Core Server:

    Service Name
    Description
    Ivanti Endpoint Integration ServiceApplies the security server settings to a managed client product
    Ivanti Endpoint Security ServiceProvides protection against malware and other security threats on the core server
    Ivanti Endpoint Update ServiceAllows Endpoint to update Antivirus Content from the Core Server
    EPUpdateServer

    Downloads Ivanti product updates and malware signatures to the Update Server

     

    Core Server Pattern File Updates

     

    Pattern files are updated on the Core Server using the EPUpdateServer process.  Ensure that this service is running if you are experiencing pattern file update issues.  In addition, check the Antivirus 2017 tab in the Download Updates tool within the Security and Compliance Manager tool to ensure you have the right interval set and also check the last pattern file update date and time.

     

    You can check the update server on the core by looking at the log here:

     

    C:\Program Files\Ivanti\Update Server\var\log\arrakis\update.log

    Server Update Activity Logging

    Log File
    LocationDescription
    update.logC:\Program Files\Ivanti\Update Server\var\log\arrakisLogs download activity of pattern file updates to the core server through the Ivanti Endpoint Update Service

     

     


    Ivanti Antivirus 2017 Client Installation

     

    Ivanti Antivirus 2017 will not install as part of the Agent Configuration.  The Ivanti Antivirus within the Agent Configuration options refers to our Kaspersky version of our Antivirus product.

     

    Two different methods can be used to install Ivanti Antivirus on a client.

     

    Installed through an Install/Update Security  Components Task

    Click

     

      1. Open the Agent Settings Tool within the Ivanti Endpoint Manager console.
      2. Select the Calendar icon drop-down and select "Install/Update security components"
      3. Check the box next to "Ivanti Antivirus 2017"
      4. Choose whether to show the installation progress dialog on the client
      5. Select whether to "Troubleshoot Ivanti Antivirus installation using interactive mode".
        (This mode will allow you to click through the installation manually)
      6. Select whether you want to force the installation of Antivirus even if the same version is already installed.
        (Unless this is selected it will not install again on top of itself)
      7. Click "Save"
      8. At this point, the Scheduled Tasks tool will open with a task named "Install or update Security Components" or another name if you chose to rename the task.
      9. Select your targets and start or schedule the task.

     

    Installation log files

    Log File
    LocationDescription
    ldav_install.log

    C:\ProgramData\landesk\log

    Logs the installation activity of Ivanti Antivirus 2017 (Final name and location once it is finished)
    vulscan.pid_xxxx.logC:\Programdata\VulscanActive log file during the installation of Ivanti Antivirus.  Gets renamed to C:\ProgramData\LANDesk\log\ldav_install.log when done

    Note: The ldav_install.log starts out as a vulscan.pid_xxxx.log in C:\Programdata\vulscan (Where xxxx is the process id).  After the Antivirus installation it is renamed to ldav_install.log.   So if you are monitoring the installation you will want to look at the vulscan.pid_xxxx.log file.  You will know it is the correct log file if it starts with "Command line: /installavnew" or a variation that contains "/installavnew".

    Uninstalling Ivanti Antivirus 2017

    Two different methods can be used to uninstall Ivanti Antivirus from a client.

     

    Uninstall through an Install/Update Security  Components Task

    Click

      1. Open the Agent Settings Tool within the Ivanti Endpoint Manager console.
      2. Select the Calendar icon drop-down and select "Remove security components"
      3. Check the box next to "Ivanti Antivirus 2017"
      4. Select the desired Reboot Setting
      5. Choose whether to show the Uninstallation progress dialog on the client.
      6. Click "Save".
      7. At this point, the Scheduled Tasks tool will open with a task named "Remove Security Components" or another name if you chose to rename the task.
      8. Select your targets and start or schedule the task.

     

              Uninstall from a command line on the client computer

                From the client "Run" line or search box run "Vulscan /removeavnew".  You can add the parameter "/showui" if

     

    Uninstall log files

    Uninstall activity is logged into "ldav_install.log" and the same rules apply to it starting out as vulscan.pid_xxxx.log  and then renamed to "ldav_install.log" after, just the same as the installation log file.

     


    Client Pattern Files Updates

     

    Logging for client pattern file update activity is stored in the following log:

     

    FilenameLocationDescription
    ldav_update.logC:\Programdata\LANDesk\logLogging of client pattern file update activity

     

    To force an immediate update on the client run  "C:\Program Files (x86)\LANDesk\LDClient\Antivirus\LDAV.exe" /update

     

    CheckForUpdates.jpg

    Note: The "Check for updates" button in the Client UI does not work at this time.  Clicking this button will do nothing.  Instead, the "'ldav /update" option should be used.

     

     

    Troubleshooting Pattern File Updates failing

     

    The pattern file updates reach out to two sources by default:

     

    • The Core Server
    • av-update.ivanti.com which is changed to ivanti-60013e4c-1d97-4269-b5b7-625530f25c30.2d7dd.cdn.bitdefender.net in the agent's AVNewBehavior_xxxx.xml file.
    • The core server needs to be able to reach "ivanti-60013e4c-1d97-4269-b5b7-625530f25c30.2d7dd.cdn.bitdefender.net"
      (If you want the clients to update from the internet in case the core server is down, make sure the clients also can reach the bitdefender.net address)
    • The client needs to be able to reach the core server on port 7074.

     

    The Registry key HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\landesk\managementsuite\WinClient\Vulscan\OtherBehaviors should have an "avnewbehavior" and then as a string the data "CORESERVERNAME_vxxx" for the version number.

     

    If this is not there try running a change settings task and select the specific Antivirus 2017 setting name and push it to the client.

     

    AVNewKey.png

     

    Within the AVNewBehavior XML file there is a section called UPDATESERVER_URLS which tells the client where to go for updates.

     

    <Name>UPDATESERVER_URLS</Name>

    <Val>["EPM2018-1:7074","ivanti-60013e4c-1d97-4269-b5b7-625530f25c30.2d7dd.cdn.bitdefender.net"]</Val>

     

    These pattern files are hosted at port 7074.  So the connection to this port must be open and available.

     

    To check if port 7074 is open on your core server you can run "Netstat -ab | more" and you should see it near the top of the list'

                         Ports 7074 and 7076 opened by "EPUPDATESERVER"

     

    You can also Telnet to the hostname of the core to the 7074 port to see if it responds with anything by running "Telnet {coreservername} 7074".  If the screen clears and it shows a prompt in the upper left corner the connection was successful.

     

    You can check the update server on the core by looking at the log here:

     

    C:\Program Files\Ivanti\Update Server\var\log\arrakis\update.log

     

     


    Quarantine Files

    Files that have been quarantined are stored in C:\Program Files\Ivanti\Endpoint\Quarantine

     

     


    Items to gather for the Ivanti Support Technician

     

    Log Files

     

    Core Server

    Log Filename and pathWhen to gather
    C:\ProgramData\LANDesk\Install\Log\avsetup.logIssues with the Update Server installing on the Core Server
    C:\Program Files\Ivanti\Update Server\var\log\arrakis\update.logIssues with downloading pattern files on the Core Server

     

    Client

    Log filename and pathWhen to gather
    C:\ProgramData\LANDesk\vulscan\ldav*.logAll client issues
    C:\ProgramData\LANDesk\vulscan\agentbehavior*.logAll client issues
    C:\ProgramData\LANDesk\vulscan\actionhistory*.xmlAll client issues

     

    Support Tool

    For all Client issues please run the following program on the client and provide the results to the Ivanti Support Technician.

     

    Support Tool - 64-bit  (Download)

     

    Support Tool - 32-bit   (Download)

     

    This will create a file on your desktop to provide to the support technician.  This file will be in the following format: supporttool_computername_year_month_day_hour_minute.

    If applicable it is imperative to duplicate the issue you are seeing prior to running the support tool.

    Blue Screens

     

    If the issue is a Blue Screen error (BSOD) follow these instructions to gather the MEMORY.DMP file to provide to Ivanti support

     



    Common Issues

     

    Core Side

     

    Installation Issues

     

    ISSUE: Failure to install the services related to the Ivanti Antivirus 2017 Product

     

    AVSetup creates four services on the Core Server:

    Service Name
    Description
    Ivanti Endpoint Integration ServiceApplies the security server settings to a managed client product
    Ivanti Endpoint Security ServiceProvides protection against malware and other security threats on the core server
    Ivanti Endpoint Update ServiceAllows Endpoint to update Antivirus Content from the Core Server
    EPUpdateServer

    Downloads Ivanti product updates and malware signatures to the Update Server

     

    RESOLUTION: Run the AVSetup program once more on the Core Server (Run as Administrator)

     

    Client Side

     

    Installation Issues

    Issue: BitDefender will not Install on a device that has Ivanti Antivirus (Kaspersky Engine) or Ivanti Bitdefender previously installed.

     

    Resolution:

     

    Make sure that the Kaspersky engine is completely uninstalled.  If it doesn't uninstall from Security Activity task you can use the removal tool found here: Removal tool for Kaspersky Lab products

    After you have made sure it is uninstalled check the client for the existence of this folder:

     

    C:\Program Files(x86)\Landesk\LDClient\Antivirus

     

    If it exists, rename the Antivirus folder to something else and try the installation again.

     

    Issue

    The task to install the new Ivanti Antivirus on a client failed with: Ivanti Antivirus failed to Install code: 448.

     

    Resolution

    Step 1: On the core itself, navigate to %ldms_home%\ldlogon\avclientbd.  Make sure the epsecurity_x64.exe and epsecurity_x86.exe files exist.  If they do not, go and run Download Updates again with the Ivanti Antivirus Core Installation Files option checked so the files download.

    Step 2: Make sure you ran the AVsetup.exe file on the core and it completed successfully as outlined in https://community.ivanti.com/docs/DOC-62435#jive_content_id_Core_Install_files_in_Default_Drive_Letter_C  The installation of the definition download utility on the core is needed before you can install the client portion on devices.

    Step 3: Make sure any other Antimalware/Antivirus programs are removed prior to installing the new Ivanti Antivirus.  Currently the New antivirus solution does not auto uninstall other security applications.  You will need to uninstall sure programs before you install our antivirus solution. Windows Defender is the exception this can be left running on the client devices if you like.

    Removal tools (uninstall tools) for common antivirus software

    Step 4: Log information on the installation of antivirus can be found in C:\ProgramData\LANDesk\Log\ldav_install.log

     

    Issue

    Ivanti Antivirus GUI says "Antimalware-Advanced Threat component(s) are disabled" and a message: You are at Risk.

     

    Resolution

    It is normal for the Advanced Threat Control module to be disabled.  In the future, this will be enabled as we improve the product.  To clear the You are at Risk message, Run a full scan on the device and allow it to complete.  Click the radar icon and then click Full Scan.  Allow the scan to complete.  When done the main window should display You are Protected in green.

     

     

    Issue

    Antivirus 2017(Bitdefender)  Failed to install,  Now other attempts to install also fail.

     

    Resolution

    See Document: https://community.ivanti.com/docs/DOC-69442

     

    Client Pattern File Update Issues

    Error: 1003 (Could not resolve proxy) or 1004: (Could not connect to proxy or server) or 1005: (Could not authenticate to proxy or server)

     

     

    Possible Causes

    • The endpoint is not configured correctly to communicate over the internet through a proxy.
    • The endpoint cannot resolve the proxy due to a DNS issue.
    • There is no proxy configured in the Bitdefender policy.

     

    Error: 1011 (I/O Timeout)

     

    Possible Causes

    • The update server is offline
    • The update server port is closed on 7074
    • The endpoint does not have access to the update server network location

    Issue: The Check for Updates button on the Bitdefender client is not working

     

    The Check for Updates button in the GUI is not functioning at this time.  It may be functional in the future as we improve the product.  You need to schedule definition updating on the clients through the Agent Settings.  By default, definition updates are not turned on in the agent settings.

    Open Agent Settings. Expand Security and Ivanti Antivirus New.  Double Click your agent setting in the right window.  Click Scheduled Tasks and Check the Update box then Change Settings to adjust the update times.  When done Save the settings.  The agent settings will get applied to the client devices the next time a security scan is run.

     

    To force an immediate update on the client run  "C:\Program Files (x86)\LANDesk\LDClient\Antivirus\LDAV.exe" /update

    (Remember the above command must be run as administrator.)

     

    Again, update progress will be logged in C:\ProgramData\LANDESK\Log\ldav_update.log

     

     

    Client virus scanning issues

     

     

    Issue: High CPU and disk I/O during full scan

     

    Please note that the default values of the FullScan are set so that the scan is completed as soon as possible. In addition, while the scan is running for the first time on the system, the Smart Scan database is being built and this is expected to take more resources than at a normal run.

     

    Once the first scan is completed and the database is in place, subsequent scans will be faster and will take fewer resources.

     

    In any case, we recommend our customers to schedule the full scan once a week and preferably when the system is not in use.  Considering the real-time scanning capabilities of the product it is not recommended to run a full virus scan more often than this.

     

    CPU Usage and Disk I/O performance can be improved by doing the following:

     

    1. Uncheck the box for "Faster File Scan"
    2. Check the box for "Lower the priority of scanning threads"

    AVFullScan.jpg