How to troubleshoot Ivanti Device Control Shadow Copy

Version 6

    Verified Product Versions

    Endpoint Manager 9.6Endpoint Manager 2016.xEndpoint Manager 2017.x

    Note: Shadow copy will work on a device only if the following conditions are met:


    Any removable volume - except CD/DVD - triggers shadow copy.

    Removable volumes are based on the BUS type: 1394, Usb, iScsi, Sd, Mmc


    In C:\Documents and Settings\All Users\Application Data\Vulscan is an ActionHistory.xml file being created?


    Does the ActionHistory.xml contain information similar to the following?


    <Action name="E:\Directory Compare.exe" code="118" date="1261435724" type="83" user="XPSP3\User" configguid="LDMS9_17">
    <status>01d813bb.bb49c539.0000000d.tmp|4005759|-1507959040|Generic volume||de6d421a</status>

    Note: Code "118" as listed in the ActionHistory.xml is "VIGMODE_ALERT_SHADOWCOPY"


    These action codes are detailed here:


    After a vulscan is run is this file renamed to .SENT?


    Does the Device Control settings XML contain the Shadow Copy setting?


    DCM.XML within the file in C:\Documents and Settings\All Users\Application Data\Vulscan

    (Or ProgramData\Vulscan on Windows 7/Server 2008 or higher):


    - <ShadowCopy Mode="On">


    Do any errors show up in the \Program Files\LANDesk\ManagementSuite\Log\WSVulnerabilityCore.dll.log file?




    Shadow copy information is stored in the database in the ShadowCopyAction table.


    Here is the format of that table: