How to troubleshoot LANDESK Device Control

Version 60

    Verified Product Versions

    LANDESK Management Suite 9.5LANDESK Management Suite 9.6LANDESK Management Suite 2016.x

    This article details the troubleshooting steps for LANDESK Device Control.

     

     

    LANDESK Device control uses settings defined in .XML files called "behavior files", in the same way that Agent Behavior, Distribution and Patch or other settings use behavior files.

     

    LANDESK Device Control Installation

     

    Installation through Agent Configuration

     

    In order for LANDESK Device Control to be installed on a device, the following must occur.

     

    1. Endpoint Security must be checked as a component in the Agent Configuration - Start - Agent Components to install section.

    AgentComponentSelection.png


    2. The proper Endpoint Security setting must be selected in the Agent Configuration - Security and Compliance - Endpoint Security - Machine Configuration section.

    Endpoint SecurityAgentConfig.jpg


    3. Within the selected Endpoint Security Setting, Device Control must be selected as one of the Security Policies to install.

     

     

    DeviceControlinEndpointSettings.jpg

     

    Command-line installation

     

    From the Run prompt on a client computer you can type "vulscan /installeps".  Add "/showui" if you want to watch the installation progress.

     

    Installation through an "Add/Remove Security Components" Task

     

    This option allows you to install LANDESK Endpoint Security to a LANDESK Client computer (computer that has the LANDESK agent installed) after the fact rather than installing the entire agent.

     

    1. Within the LDMS console open the "Agent Settings" tool.  This is found within the Configuration tool group or the Security and Compliance tool group.
    2. Click the calendar icon (2nd icon in the tool strip) and then select "Install/Update Security Components"
    3. Under Security components to install, check the box next to Endpoint Security.
    4. You can then select or configure the Endpoint Security setting you wish to install along with Endpoint Security. 
      Remember, the Endpoint security setting has 3 components settings underneath it:
           - Application Control
           - Device Control
           - LANDESK Firewall
    5. Select the desired task settings and slick "Save" to create a scheduled task.
    6. Deploy the task to the desired computers.

     

    Important Files in LANDESK Device Control

     

    FileLocationPurpose
    DCM.LOGProgram Files (x86)\LDCLIENT\HIPSDevice Control Manager log file
    DCMVOLUMES.LOGProgram Files (x86)\LDCLIENT\HIPSDevice Control Manager log file for activity involving drive volumes
    DCM.XMLProgram Files (x86)\LDCLIENT\HIPSDevice Control Manager behavior file
    BVD.RPT\ProgramData\LDSECUsed to display data in the Endpoint Security user interface
    LDSECSVC-DCM-DEBUG.LOG\ProgramData\LDSECDebug log for Device  Manager
    HIPSCLIENTCONFIG-HIPS-debug.log\ProgramData\LDSECDriver installation activity log
    EPSUI.LOG\ProgramData\LDSECUser Interface log
    HipsBehavior_(CoreServerName)_ID#.XML \ProgramData\VulscanPrimarily contains trusted location information for Application Control and LANDESK Firewall
    HipsBehavior_(CoreServerName)_ID#.ZIP\ProgramData\VulscanCompressed file containing all Endpoint Security behavior files
    ActionHistory.(ClientIPAddress).sent.#.xml\ProgramData\VulscanAction history sent from client to core (shows up in Security Activity on the core
    vulscan.log or vulscan.#.log\ProgramData\VulscanContains installation and change settings information
    softmon.log\ProgramData\VulscanLogs ActionHistory activity for actions sent to core through the softmon process

     

    Important Registry Keys

     

          HKLM\Software\LANDESK\HIPS\

              Settings - Current EPS settings.
              Known Volumes - Volumes that were present at the time of the DCM policy installation.  These should be excluded from the volume policy.

     

    Reset Known Volumes

     

    Known volumes are a list of volumes that were present at the time of Endpoint Security installation.  These known volumes are typically exempt from volume blocking or encryption policies.

     

    This will reset the list of volumes that are listed as allowed by EPS.  You would reset a known volume in the instance that you deployed an EPS configuration yet an undesired volume (such as an external USB hard drive) was plugged in at time of install.  This will automatically add this drive to the "known volumes" list, thus it will be allowed even if a volume restriction policy is in the EPS configuration.

     

    • Push out an agent configuration that Allows all volumes.  This will reset the known volumes list.
    • You can then push out the final Agent Configuration with the desired volume restrictions and exceptions.

    -or-

    • From the command prompt type "sc.exe control ldsecsvc 130"

     

    When switching a policy from "Deny" to "Full Access" the known volume list is reset for 1 minute and any plugged in devices will be re-learned for that minute.   So when these steps are taken the Administrator should be aware of this.

     

    You may also use the following to forcefully reset known volumes

     

    • Deploy a device control policy with the 'storage volumes' policy set to 'Full access'
    • Deploy it again with the required policy (read only/encryption only/no access as appropriate)

     

    General Troubleshooting steps

    • Are the Device Control Settings on the core server configured correctly for the expected outcome?
      • Check the Device Control Settings in the Security Configurations Tool on the Core Server)
      • Make sure you are looking in the correct group - My, Public or All
      • Make a note of the ID #, Name, and Revision # for the Device Control Setting

    DeviceControlBehaviorSettings.jpg

     

    • Do the Device Control Settings match what is listed on the Core Server?
      • Check which Endpoint Security setting is active on the client
        • Look in the registry at: HKLM\Software\LANDESK\ManagementSuite\WinClient\Vulscan
          Does the Behavior ID, Name and Revision match the core setting? (If different, run Vulscan /changesettings /showui)
        • Within the DCM.XML file in the LDCLIENT\HIPS directory, do the settings match what is expected?

     

    • Examine the log files (DCM.LOG and DCMVOLUMES.LOG in LDCLIENT\HIPS)  (Best way to gather is by turning on debug logging)
      • Do any of the ActionHistory.(ClientIPAddress).ID#.sent.xml files that contains the action expected?


                   If not, duplicate the failure again and check the ActionHistory XML files.

    How actions are sent from the Client to the core server

    Whenever an action takes place (A device is blocked, shadow copy activity takes place, etc) this activity is recorded in the ActionHistory.(ClientIPAddress).ID#.xml file.  If no further activity takes place within 2 minutes, Softmon will send this information to the core server.  Otherwise every time Vulscan runs, it gathers the ActionHistory information and sends it to the core server.  This ActionHistory information gets stored in the SecurityAction table in the database and is displayed in the Security Activity window.  After the ActionHistory is sent, the .XML is renamed to .SENT.XML.  11 copies of this file are kept on the client.  .sent and then .sent #'s 1-10.


    If ActionHistory is sent during a Vulnerability Scan, this action will be logged in the Vulscan.log file
    If ActionHistory is sent via Softmon, this is logged in the Softmon.log file

     

    Items to gather and send to the Ivanti Support technician

     

    1. GetSystemInfo Report
    2. Debug Logs
    3. Exported Security Configuration Settings
    4. If issue is a blue screen, gather a Kernel Mode Memory dump

     

    Instructions for gathering this information follows:

     

    Gather a GetSystemInfo report

         The GetSystemInfo gathers details information about a computer, including hardware information, operating systems, drivers, installed, software, etc.  This utility can be very useful for determining the cause of certain issues.

    For Windows Workstation/Server

    GetSystemInfo 6.1


    1. Run GetSystemInfo.exe on the computers with the problem.
    2. Click the button Create report in the right part of the main window.
    3. Wait until the utility has completely scanned the system.
    4. Click OK to confirm the creation of a report.

     

    A file will be created with the default name GetSystemInfo_<USER>_YYYY_MM_DD.zip.

    Attach this report to your created case, or e-mail it to your LANDESK Support technician.

     

    How to enable debug logging

     

    1. Open the Endpoint Security GUI by clicking on the EPS system tray icon.
    2. Hold LSHIFT (left shift key) + LCTRL (left control key), then click the Drop-down Menu in the upper right (next to the gear icons) to reveal the Extended Menu
      Ctrl-LeftShift.jpg EPSDebugMode.gif
    3. The eps-logs.zip file will contain the required information to send to support for troubleshooting.
    4. Once done generating the Debug Logs, click the Drop-down Menu and choose Disable debug mode.

     

    If the problem is a Blue Screen, collect a Kernel Memory Dump


    1. Right-click "My computer" and choose "Properties"

    2. Go to the "Advanced" tab and then click "Settings" under "Startup and Recovery"

    3. Under the "System failure" section under "Write debugging information" click the drop-down and select "Kernel memory dump".

    4. Make note of the path that the MEMORY.DMP file will be saved to.
    5. Duplicate the blue screen issue and then collect the MEMORY.DMP file and compress it in a .ZIP file.

    A kernel memory dump must be supplied, a mini memory dump does not supply sufficient information.

    For further information about blue screen issues involving Endpoint Security: Issue: Blue screen with Endpoint Security installed

     

    For more information about troubleshooting memory dumps see How to troubleshoot bluescreen issues

     

    If the memory dump says the faulting driver is LDSECDRV.SYS the issue is likely with Endpoint Security, if another driver is listed it is likely caused by something other than Endpoint Security.

     

    Summary of items gathered

     

    The following is the list of files to be supplied to the Support Technician:

     

    • GetSystemInfo_Computername_Username_Date_time.zip

            From GetSystemInfo

    • Logs.cab

    From "Gather Debug Logs"

     

    • Endpoint Security Settings ##.ldms

    From exporting the Endpoint Security Setting, this filename will differ based on what you have named the setting.

     

    • Device Control Setting ##.ldms

    From exporting the Device Control Setting
    (Note, this filename will differ based on what you have named the setting)

    • MEMORY.DMP

      If issue was a bluescreen and you have gathered a Kernel memory dump

     

    MEMORY.DMP will likely be too large to attach to an e-mail.   If this is the case, name your .ZIP file of MEMORY.DMP to "LANDESK Case # Memory Dump.zip" and upload to ftp://ftp.landesk.com/incoming