Has all of this happened Post Remove and Re-install? If so you will need to start by checking the services on both your machine and the Core server.
1. If the realtime scanner refuses to start, there may be more information in this registry key stating why that happened: HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\ManagementSuite\WinClient\Antivirus.
2. Can you eliminate whether this has anything to do with pattern-file updating? Does avservice.log say it loaded pattern files successfully? Was there a recent pattern-file update? Is there more than one avservice process in task manager?
3. Check log files (Running "Vulscan av" opens the folder in which all these logs reside.)
o Avservice.log contains output from the service.
o Avservice_update.log contains output from the process that was launched to do the last pattern file update.
o Avservice_scan.log is the output from the avservice launched to do some type of directory or system scan (whether administrator initiated or right-click or through ldav UI).
1 of 1 people found this helpful
I saw the outlook error on a machine and reinstalling AV fixed it. I have only seen it on one machine so far so I cannot say what it is related to.
vulscan /showui /installav from the run line.
This might help... looks like a syntax error returned by java in the avservice.log...
(answers to your questions below log file extract)
Wed, 02 Jan 2008 09:32:17 Main: succeeded in loading pattern files
Self update: files are up to date.
AV - /scancomputer task is up to date
AV - /update task is up to date
Loaded 1 custom variables from C:\Documents and Settings\All Users\Application Data\vulScan\CustomVariables.AGENT99.ini
Failed to create instance of jscript ActiveX control.
Called AddObjectToScriptNamespace without first calling Initialize
ERROR: Scripting error. Failed to add our namespace to the scripting engine. 0x80004003
Wed, 02 Jan 2008 09:32:17 SendRequest: SOAPAction: "http://tempuri.org/GetHashForWildcard"
Wed, 02 Jan 2008 09:32:18 Success
Deleting file C:\Program Files\LANDesk\LDClient\antivirus\bases\sfdb.dat
Wed, 02 Jan 2008 09:33:09 Reset cleaning mode to 3 returned 0x0
Wed, 02 Jan 2008 09:33:09 Reset scanning mode to 21 returned 0x0
Wed, 02 Jan 2008 09:33:09 Reset filter to '"C:\Documents and Settings\All Users\Application Data\LANDeskAV\avservice.log";"<C:\Program Files\LANDesk\LDClient\antivirus\*.log";"<C:\Documents and Settings\All Users\Application Data\LANDeskAV\Server\*";"<C:\Documents and Settings\All Users\Application Data\LANDeskAV\Client\*";<*.pst' returned 0x0
Wed, 02 Jan 2008 14:41:10 1200: Service is shutting down
Wed, 02 Jan 2008 14:41:11 Unable to update operating system with our current antivirus status: (code 0x8007045b)
Wed, 02 Jan 2008 14:41:15 LANDesk Antivirus stopped on channel.
Wed, 02 Jan 2008 14:41:15 Exiting channel 0.
Wed, 02 Jan 2008 14:41:15 1200: Service stopped
Wed, 02 Jan 2008 14:42:18 1540: Windows Platform 2, version 5.1 Service Pack 2
Wed, 02 Jan 2008 14:42:18 1540: Service started
Wed, 02 Jan 2008 14:42:20
1. I reloaded AV on my machine so it's running now so the registry value is blank...
2. I think it DOES have to do with pattern file updates since the core may have been unavailable and it seems to have stopped during the update since it said it was updating...
3. I looked over the logs... doesn't seem to be anything out of order though I'm no expert... and they are very long and verbose. It would be nice if you guys would create "av failure.log" with just the exceptions. But if you want, I could e-mail the complete logs to you!
Yes, thank you! A re-install of the AV does the trick. Problem is, I've had to do this twice now on our IT Director's machine. And once on mine and I have two other service calls for the same...
Gotta solve this before people get mad at LDAV!
Need to call into LANDesk Support so we can get a ticket opened on it and try and track down the issue.
I have experienced this problem before and one very peculiar thing that I noticed was that the LANDesk Antivirus Service wouldn't start and when I examined the properties of the service the start parameters input box on the general tab was enabled but had nothing filled in. This input box is usually greyed out.
We've been running LDAV for a while in our environment and see this issue frequently. Unintalling and then reinstalling using the vulscan /removeav and
/installav switches works great, but really it is a problem with the
definition file download. The issue is directly involved with how clients are downloading the definition files in the \ldclient\antivirus\bases folder. It seems that the realtime engine is highly sensitive to inconsistencies in the folder file hierarchy. You can imagine with 383+ files to download that hiccups could happen quite often depending on your environment.
Realtime AV will start right back up if you just delete the contents of the bases folder on the client and copy the working set from the core back onto the client. Restart LDAV and voila you're back in business. Remember to keep opening cases if any of you have this issue as it will help the devs fix the process.
Here is a quick script that could help you recover from realtime av failures until a better fix from LANDesk comes out. It will work in 2K and XP computers.
;This line is used to connect to a file share on thecore
<coreserver>\landesk$ /user:domain\user password
REMEXEC02=net stop "LANDesk(R) Antivirus"
;Use PStools to kill any remaining processes that LDAV might be running
<coreserver>\landesk$\Packages\Win\Tools\SysInternals\PsTools\pskill.exe /accepteula -t AVService.exe
\<coreserver>\landesk$\Packages\Win\Tools\SysInternals\PsTools\pskill.exe /accepteula -t scanningprocess.exe
;Robocopy the bases folder from the core back to the client
hurricane\ldlogon\antivirus\bases "c:\program files\landesk\ldclient\antivirus\bases" /mir
REMEXEC06=net start "LANDesk(R) Antivirus"
Edmonds School District 15
I appreciate your experience and the script examples! Thanks very much!
However, I'm hoping that someone with inside knowledge of 8.8 will let us all know if there is more "self healing" in the product. I've also heard a rumor that 8.7 SP5 does a better job of "self healing" when a signature download goes awry.
Also, I'm asking them to consider changing the dang error message as we had several VIP's receive the message and it makes us (and LANDesk) look bad. (see thread "tERRORble Error message... just hERRORble")
I know that I can overcome this message with a re-install... or with a script... but:
1. Why should I have to?
2. Is the user protected once they get this error message or is AV dead?
3. If 8.8 does a much better job of "Self Healing" then LD support should push this out as an answer (solution); we would jump to 8.8 if this were really true. We just want verification
Thanks again, and have a great day!
Attached is a custom definition that I and a coworker just put together that may be useful as well.
Only send this to clients that you know are having the issue.
What it does is detects if the Real-time engine is running or not. If it's not, it will stop the LANDesk Antivirus Service, redownload the virus definitions, and then restart the service.
Most of the time when this issue occurs, for some reason one of the files in the Bases directory has gotten corrupted, and this will cause the real-time engine from starting.
V_INTL_AV-101-Cust.xml 32.0 K
Thanks for the response.
Sounds like you are doing exactly what the basic product SHOULD do... I still haven't heard from anyone at LANDesk whether the 8.8 will do something like this.
We've had to push out LDAV twice since I've written... not only is the product fragile but it seems to stop running completely if it can't communicate with the core. We had some core server issues...
Meanwhile, sounds like you may have the solution- I just don't know what to do with the file you sent- I guess I'm a NOOB... Plz advise.
It's a custom vulnerability definition for Security & Patch Manager... download it and import it, then vulnerability scans which look for custom vulnerabilities will check out LDAV's state.
8.8 doesn't do anything different than 8.7.5 re LDAV, as far as I know, but that custom vulnerability is the first step in the right direction. If it tests out okay and solves enough people's problems, it has potential to become part of the official AV channel.
Sorry, I should have been more specific.
In your Security and Patch Manager tool, change Type of definitions to Custom Definitions (The drop-down window right above the list of Vulnerability Definitions).
Then click the Import icon (Yellow diamond with Green Arrow). Then browse to the .XML file I sent. This will import it into your list. Make sure it is in the Scan group, and then check your Scan and Repair setting to make sure that on the Scan tab that Custom Vulnerabilities is selected as one of the types to scan for.