Error: "Error - 1004" when attempting to run an update in Antivirus 2017 (Bitdefender Engine)

Version 10

    Verified Product Versions

    Endpoint Manager 2016.xEndpoint Manager 2017.xEndpoint Manager 2018.x

    Issue

     

    An error of "Error - 1004" appears when attempting to update the pattern files in Ivanti Antivirus 2017 (Bitdefender Engine)

     

    "Error - 1004" means "Cannot connect to proxy or server".   in other words, the client cannot contact the pattern file update server in order to get its updates.

     

    Error1004.jpg

                                                                     (click for full size)

    Cause

     

    The Antivirus 2017 client cannot access the Core Server that has the Bitdefender Update Server installed, and/or it cannot access the Bitdefender update server on the internet.

     

    • The client does not have the update servers properly configured in their Antivirus 2017 settings.
    • The client does not have the registry key that points to the behavior that it is to follow.
    • The client cannot access the update servers (see Resolution for ports and host names needed).

    This error is almost *always* caused by a Proxy Server or other Network Appliance that is not allowing the proper traffic.  Check and double check this scenario.  More often than not we will receive a call to support where we have been told there is no network appliance to block traffic or no form of a proxy server and it turns out there is something like that blocking traffic.

     

    Resolution

     

    Ensure the update servers are configured properly in the Antivirus 2017 settings

    1. On the Core Server go to the Security and Compliance tool group and go to the Agent Settings tool.
    2. In Agent Settings scroll down to the bottom and open All Agent Settings.
    3. Open the Security section of the tree and select Ivanti Antivirus 2017
    4. Find the desired Antivirus 2017 setting your failing client is using and open it.
    5. In the left-hand pane go to "Update Servers"
    6. Ensure that your core name or IP is listed followed by the port number of 7074 as seen below.  In addition, ensure that av-update.ivanti.com (or the IP address 152.195.13.12) is listed.  You can move the order of these depending on what you want the client to contact first - the core update server or the internet update servers.  For troubleshooting purposes, you may want to temporarily swap the order and then run "Vulscan /changesettings /showui" from the client in order to test connectivity.

      updateservers.jpg

                                                                              (click for full size)

     

    Ensure the client has the AV setting written to the registry

     

    A bug existed that caused the AVNewBehavior behavior information not to be written to the client registry.  This can be verified and resolved by doing the following:

     

    On the client open the registry editor and browse to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\landesk\managementsuite\WinClient\Vulscan\OtherBehaviors and look for an "avnewbehavior" setting.

     

     

    If this does not exist you will need to run a Change Settings task and push it to the agent which will cause this key to be written.  Do the following to accomplish this.

     

    1. In the Management Console open the Patch and Compliance tool group and then open the Agent Settings tool.
    2. Click the Calendar icon in the toolbar and select "Change Settings"



    3. Give the setting a meaningful name under the "Name: " section.
    4. In the right-hand pane select the drop-down to the right of "Ivanti Antivirus 2017" and select the desired Antivirus 2017 setting.

      SelectAVSetting.jpg

    5. Click "Save".   This will open the Scheduled Tasks window.
    6. Add your desired computers to the task and start it when desired.

     

    Ensure that the "avnewbehavior" key is written to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\landesk\managementsuite\WinClient\Vulscan\OtherBehaviors

     

     

    Ensure the proper ports are open and the hostnames are reachable for the update servers

     

    Here are a few facts about this connection:

     

    • TCP Port 7074 needs to be open from the client to the core
    • TCP Port 7074 needs to be open from the core to the client
    • In order to update files from the internet, the client needs to be able to access av-update.ivanti.com at IP address 152.195.13.12

     

    A Wireshark capture can be performed on the client and the core to ensure that the expected traffic is taking place.

     

    In a normal conversation from the client to an update server, the following takes place:

     

    1. The client requests av64bit-eps/versions.id
    2. The client requests bdvaccine64/versions.id
    3. The client requests avc3-sig-busi/versions.id
    4. The client requests avc3-exec-busi/versions.id
    5. The client requests atc-sig-busi/versions.id

     

    The client analyzes the versions.id files and compares them to the versions that it already has downloaded.  If something newer is found the client continues to download that content.

     

    Normal Traffic to/from the Core Server on port 7074 during an update process:

     

    Filter: tcp.port == 7074

                                                                        (click for full size)

    To-From-Core-7074.jpg

    Normal traffic to/from Bitdefender update server over the internet:

     

    Filter: ip.dst == 152.195.13.12 || ip.src == 152.195.13.12

    To-From-BD-Internet.jpg

                                                                                 (click for full size)

    Error on Client: Cannot Connect to Cloud Services

     

    Please be sure that the connection to the Cloud services is not blocked by the corporate firewall or network filtering solution. You should whitelist the nimbus.bitdefender.net address on port 443 and allow other addresses originated from there.

     

      You can test the connection using telnet nimbus.bitdefender.net 443 or a web browser by accessing for example https://nimbus.bitdefender.net/url/status?url=http://ivanti.com

     

    Reinstall Ivanti Antivirus 2017

     

    A task can be created to force a reinstallation of Antivirus 2017.  The following steps should be followed:

     

    1. In the Patch and Compliance tool group go to Agent Settings
    2. Click the Calendar icon on the toolbar and select "Install/Update Security Components"
    3. Select your Antivirus 2017 you wish to use for the install in the drop-down on the right-hand side.
    4. Click "Force reinstall of Ivanti Antivirus components even if the same version is already installed".

                                                                                           (click for full size)