13 Replies Latest reply on Mar 17, 2008 10:22 AM by LANDave

    LDAV vs. Exchange Broken this morning... Y2008 bug?  :)

    Apprentice

       

      Mornin' all,

       

       

      This morning I came in and started  Outlook and got:

       

       

       

       

       

       

       

       

      I've seen this before and based on the responses from the community, I've fixed it by uninstalling and reinstalling using "vulscan /removeAV" and "vulscan /installAV".

       

       

      However, this computer happens to be mine, and with the exception of being on all day yesterday, it HAD been running the LDAV fine including interoperability with Outlook 2003.

       

       

      Here's a clue... I opened LDAV thinking maybe it needed to be updated... and when I clicked the "Update Now" link I get:

       

       

       

       

      (which is nonsense 'cause I've had my pc on for a day and it has perfect internet connection... and perfect connection to the core!!!)

       

       

      What's up?

       

       

      Any ideas?

       

       

      TIA

       

       

      -B

       

       

       

       

        • 1. Re: LDAV vs. Exchange Broken this morning... Y2008 bug?  :)
          Apprentice

           

          ...another clue...

           

           

          Rebooted the computer and LDAV shield went to RED!   Opened LDAV and hit "ENABLE" and got:

           

           

           

           

          Dang it all!

           

           

          -B

           

           

          • 2. Re: LDAV vs. Exchange Broken this morning... Y2008 bug?  :)
            Expert

             

            Has all of this happened Post Remove and Re-install? If so you will need to start by checking the services on both your machine and the Core server.

             

             

            1. If the realtime scanner refuses to start, there may be more information in this registry key stating why that happened: HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\ManagementSuite\WinClient\Antivirus.

             

             

            2. Can you eliminate whether this has anything to do with pattern-file updating? Does avservice.log say it loaded pattern files successfully? Was there a recent pattern-file update? Is there more than one avservice process in task manager?

             

             

            3. Check log files (Running "Vulscan av" opens the folder in which all these logs reside.)

             

             

            o Avservice.log contains output from the service.

             

             

            o Avservice_update.log contains output from the process that was launched to do the last pattern file update.

            o Avservice_scan.log is the output from the avservice launched to do some type of directory or system scan (whether administrator initiated or right-click or through ldav UI).

             

             

            • 3. Re: LDAV vs. Exchange Broken this morning... Y2008 bug?  :)
              Expert

               

              I saw the outlook error on a machine and reinstalling AV fixed it.  I have only seen it on one machine so far so I cannot say what it is related to.

               

               

               

               

               

              vulscan /showui /installav from the run line.

               

               

               

               

               

               

               

               

              1 of 1 people found this helpful
              • 4. Re: LDAV vs. Exchange Broken this morning... Y2008 bug?  :)
                Apprentice

                 

                This might help... looks like a syntax error returned by java in the avservice.log...

                 

                 

                (answers to your questions below log file extract)

                 

                 

                Wed, 02 Jan 2008 09:32:17 Main: succeeded in loading pattern files

                Self update: files are up to date.

                AV - /scancomputer task is up to date

                AV - /update task is up to date

                Loaded 1 custom variables from C:\Documents and Settings\All Users\Application Data\vulScan\CustomVariables.AGENT99.ini

                Failed to create instance of jscript ActiveX control.

                Called AddObjectToScriptNamespace without first calling Initialize

                ERROR: Scripting error.  Failed to add our namespace to the scripting engine.  0x80004003

                Wed, 02 Jan 2008 09:32:17 SendRequest: SOAPAction: "http://tempuri.org/GetHashForWildcard"

                 

                 

                Wed, 02 Jan 2008 09:32:18 Success

                Deleting file C:\Program Files\LANDesk\LDClient\antivirus\bases\sfdb.dat

                Wed, 02 Jan 2008 09:33:09 Reset cleaning mode to 3 returned 0x0

                Wed, 02 Jan 2008 09:33:09 Reset scanning mode to 21 returned 0x0

                Wed, 02 Jan 2008 09:33:09 Reset filter to '"C:\Documents and Settings\All Users\Application Data\LANDeskAV\avservice.log";"<C:\Program Files\LANDesk\LDClient\antivirus\*.log";"<C:\Documents and Settings\All Users\Application Data\LANDeskAV\Server\*";"<C:\Documents and Settings\All Users\Application Data\LANDeskAV\Client\*";<*.pst' returned 0x0

                Wed, 02 Jan 2008 14:41:10 1200: Service is shutting down

                Wed, 02 Jan 2008 14:41:11 Unable to update operating system with our current antivirus status: (code 0x8007045b)

                Wed, 02 Jan 2008 14:41:15 LANDesk Antivirus stopped on channel.

                Wed, 02 Jan 2008 14:41:15 Exiting channel 0.

                Wed, 02 Jan 2008 14:41:15 1200: Service stopped

                Wed, 02 Jan 2008 14:42:18 1540: Windows Platform 2, version 5.1 Service Pack 2

                Wed, 02 Jan 2008 14:42:18 1540: Service started

                Wed, 02 Jan 2008 14:42:20

                 

                 

                 

                 

                 

                 

                 

                 

                1.  I reloaded AV on my machine so it's running now so the registry value is blank...

                 

                 

                2.  I think it DOES have to do with pattern file updates since the core may have been unavailable and it seems to have stopped during the update since it said it was updating...

                 

                 

                3.  I looked over the logs... doesn't seem to be anything out of order though I'm no expert... and they are very long and verbose.   It would be nice if you guys would create "av failure.log" with just the exceptions.   But if you want, I could e-mail the complete logs to you!

                 

                 

                 

                 

                 

                Thanks!

                 

                 

                -B

                 

                 

                • 5. Re: LDAV vs. Exchange Broken this morning... Y2008 bug?  :)
                  Apprentice

                   

                  Yes, thank you!  A re-install of the AV does the trick.   Problem is, I've had to do this twice now on our IT Director's machine.   And once on mine and I have two other service calls for the same...

                   

                   

                  Gotta solve this before people get mad at LDAV!

                   

                   

                  -B

                   

                   

                  :_| 

                   

                   

                  • 6. Re: LDAV vs. Exchange Broken this morning... Y2008 bug?  :)
                    Expert

                    Need to call into LANDesk Support so we can get a ticket opened on it and try and track down the issue.

                    • 7. Re: LDAV vs. Exchange Broken this morning... Y2008 bug?  :)
                      rcronje Apprentice

                      I have experienced this problem before and one very peculiar thing that I noticed was that the LANDesk Antivirus Service wouldn't start and when I examined the properties of the service the start parameters input box on the general tab was enabled but had nothing filled in. This input box is usually greyed out.

                      • 8. Re: LDAV vs. Exchange Broken this morning... Y2008 bug?  :)
                        Rookie

                        We've been running LDAV for a while in our environment and see this issue frequently.  Unintalling and then reinstalling using the vulscan /removeav and

                        /installav switches works great, but really it is a problem with the

                        definition file download.  The issue is directly involved with how clients are downloading the definition files in the \ldclient\antivirus\bases folder.  It seems that the realtime engine is highly sensitive to inconsistencies in the folder file hierarchy.  You can imagine with 383+ files to download that hiccups could happen quite often depending on your environment.

                         

                         

                        Realtime AV will start right back up if you  just delete the contents of the bases folder on the client and copy the working set from the core back onto the client.  Restart LDAV and voila you're back in business.  Remember to keep opening cases if any of you have this issue as it will help the devs fix the process.

                         

                         

                        Here is a quick script that could help you recover from realtime av failures until a better fix from LANDesk comes out.  It will work in 2K and XP computers.

                         

                         

                        ;This line is used to connect to a file share on thecore

                         

                         

                        REMEXEC01=net use
                        <coreserver>\landesk$ /user:domain\user password

                        REMEXEC02=net stop "LANDesk(R) Antivirus"

                         

                         

                        ;Use PStools to kill any remaining processes that LDAV might be running

                         

                         

                        REMEXEC03=
                        <coreserver>\landesk$\Packages\Win\Tools\SysInternals\PsTools\pskill.exe /accepteula -t AVService.exe

                        REMEXEC04=
                        \<coreserver>\landesk$\Packages\Win\Tools\SysInternals\PsTools\pskill.exe /accepteula -t scanningprocess.exe

                         

                         

                        ;Robocopy the bases folder from the core back to the client

                         

                         

                        REMEXEC05=
                        <coreserver>\landesk$\packages\win\microsoft\robocopy.exe
                        hurricane\ldlogon\antivirus\bases "c:\program files\landesk\ldclient\antivirus\bases" /mir

                        REMEXEC06=net start "LANDesk(R) Antivirus"

                         

                         

                        Thien-An Hua

                        Edmonds School District 15

                        • 9. Re: LDAV vs. Exchange Broken this morning... Y2008 bug?  :)
                          Apprentice

                           

                          Thanks Huat!

                           

                           

                          I appreciate your experience and the script examples!   Thanks very much!

                           

                           

                          However, I'm hoping that someone with inside knowledge of 8.8 will let us all know if there is more "self healing" in the product.   I've also heard a rumor that 8.7 SP5 does a better job of "self healing" when a signature download goes awry.

                           

                           

                          Also, I'm asking them to consider changing the dang error message as we had several VIP's receive the message and it makes us (and LANDesk) look bad.  (see thread "tERRORble Error message... just hERRORble")

                           

                           

                          I know that I can overcome this message with a re-install... or with a script... but:

                           

                           

                          1.  Why should I have to?

                           

                           

                          2.  Is the user protected once they get this error message or is AV dead?

                           

                           

                          3.  If 8.8 does a much better job of "Self Healing" then LD support should push this out as an answer (solution); we would jump to 8.8 if this were really true.  We just want verification

                           

                           

                          Thanks again, and have a great day! 

                           

                           

                          -B

                           

                           

                          • 10. Re: LDAV vs. Exchange Broken this morning... Y2008 bug?  :)
                            LANDave SupportEmployee

                             

                            Attached is a custom definition that I and a coworker just put together that may be useful as well.

                             

                             

                            Only send this to clients that you know are having the issue.

                             

                             

                            What it does is detects if the Real-time engine is running or not.   If it's not, it will stop the LANDesk Antivirus Service, redownload the virus definitions, and then restart the service.

                             

                             

                            Most of the time when this issue occurs, for some reason one of the files in the Bases directory has gotten corrupted, and this will cause the real-time engine from starting.

                             

                             

                             

                             

                             

                            • 11. Re: LDAV vs. Exchange Broken this morning... Y2008 bug?  :)
                              Apprentice

                               

                              Thanks for the response.

                               

                               

                              Sounds like you are doing exactly what the basic product SHOULD do... I still haven't heard from anyone at LANDesk whether the 8.8 will do something like this.

                               

                               

                              We've had to push out LDAV twice since I've written... not only is the product fragile but it seems to stop running completely if it can't communicate with the core.  We had some core server issues...

                               

                               

                              Meanwhile, sounds like you may have the solution- I just don't know what to do with the file you sent- I guess I'm a NOOB...     Plz advise.

                               

                               

                              -B

                               

                               

                              • 12. Re: LDAV vs. Exchange Broken this morning... Y2008 bug?  :)
                                Employee

                                 

                                It's a custom vulnerability definition for Security & Patch Manager... download it and import it, then vulnerability scans which look for custom vulnerabilities will check out LDAV's state.

                                 

                                 

                                 

                                 

                                 

                                8.8 doesn't do anything different than 8.7.5 re LDAV, as far as I know, but that custom vulnerability is the first step in the right direction. If it tests out okay and solves enough people's problems, it has potential to become part of the official AV channel.

                                 

                                 

                                • 13. Re: LDAV vs. Exchange Broken this morning... Y2008 bug?  :)
                                  LANDave SupportEmployee

                                   

                                  Fribergb,

                                   

                                   

                                  Sorry, I should have been more specific.

                                   

                                   

                                  In your Security and Patch Manager tool, change Type of definitions to Custom Definitions (The drop-down window right above the list of Vulnerability Definitions).

                                   

                                   

                                  Then click the Import icon (Yellow diamond with Green Arrow).    Then browse to the .XML file I sent.   This will import it into your list.   Make sure it is in the Scan group, and then check your Scan and Repair setting to make sure that on the Scan tab that Custom Vulnerabilities is selected as one of the types to scan for.