Jump to content
honkman

Microsoft SSRS/ "Socket access refused" [In progress]

Recommended Posts

I created one of these GSI reports about 3 years ago and spent hours redacting usernames, computernames, domain names, etc from the files. I think it was the one from the KSC server, so it basically mapped out my entire network in too much detail for my comfort. Even this GSI report I ran today on a workstation, wow, it'll take me several hours with Notepad++ to search/replace information in the 54+ files involved. I'm considering creating a temporary local non-domain account on the affected computer and re-running the GSI program in order to save time redacting. Maybe I'm being a bit Tin Foil Hat, but I wonder how many people put these GSI reports up on public forums on public file-sharing services, using their real names and email addresses. I'll be uploading mine via CompanyAccount if I ever get around to it.

 

I think we've been pretty descriptive in our explanation of the problem. Even without a GSI report, do you have access to internal bugfix/privatefixes/etc progress from the developers? (For KES10 SP2 or whatever is next) Has anything like this been reported and recreated successfully at Kaspersky Labs yet? I can confirm that this is a Windows10-only thing. Windows 7 does not seem affected.

 

I just had ANOTHER confirmed glitch caused by this issue today. It was affecting GOOGLE EARTH this time. (First time for that one.) Ran Integrity Check, gave the errors. So I had the end-user disable/exit KES10, then Google Earth worked fine. Spent the next 15 minutes of my life running an UNINSTALL KES and REBOOT task, waiting for it to complete, then running a KES10MR3 installation task. Ran the definition updates. Integrity check is good now. User is able to use Google Earth again *WITH* KES10 running. (Please see my original post in this thread where I list 5+ different types of software affected by this.)

 

Thanks in advance for any info you can provide to give us hope. (While I work on redacting the GSI file.) Cheers,

 

Hello,

 

in order to solve the issue we need to give diagnostic information to developers.

That's why we ask you about full GSI report during trace collection, results of integrity check exported in text file.

Please give the thorough description of the scenario when you collect KES traces.

Your concerns about confidential information are quiet reasonable, please send it via PM to https://forum.kaspersky.com/index.php?showuser=488871

Thank you.

Share this post


Link to post

Greetings,

Further testing and research have led me to some interesting discoveries.

 

1. All computers exhibiting this problem have a G_OBJDT.DAT file sized at the 32bit process file size limit of ~4GB. (displayed as 4,194,399KB)

 

2. I am able to 'recover' these computers by deleting all the content in the "C:\ProgramData\Kaspersky Lab\KES10SP1\Report" folder.

2a. I have to use SAFE MODE to do it, even TAKE OWNERSHIP fails when trying to delete these files normally.

2b. ***If there is a utility to delete/clean these files or perhaps a command prompt trick without safe mode, let me know please.*** I will research further.

2c. Afterwards, the Integrity Check is clean again. No more write errors.

2d. I got this idea from this forum post: https://forum.kaspersky.com/index.php?showtopic=353691

 

3. I believe this glitch is related to this thread as well: https://forum.kaspersky.com/index.php?showtopic=349090

3a. The final answer given was to REINSTALL the software. (which would delete the REPORTS directory.)

 

4. This explains why UPGRADING from MR2 to MR3 doesn't solve the problem. Upgrades do not delete the report files I bet. But a full uninstall will delete them.

 

5. I have begun 'spot-checking' workstations to document file-sizes of the G_OBJDT.DAT file. (4,195,238KB and 4,195,196KB are few more examples.)

5a. One KES10 client (integrity check still succeeds) was reinstalled on 9-6-2016 (16 days ago) and G_OBJDT.DAT is already 2.49GB in size. (power-user)

5b. Another KES10 client (integrity check still succeeds) that was originally installed 6-30-2016 (~82 days ago) is only 917KB in size. (barely used by interns)

5c. This leads me to conclude that it is activity-based. System Watcher logs? Unable to truncate/delete themselves when they reach max file size for a 32bit process (even on 64bit OS)?

 

Hope this helps narrow down the cause. The symptoms are strange for something as simple as an oversized/unwriteable log/report file, but I guess they are all interrelated somehow. We are a pretty simple environment. DELL hardware, Microsoft software, pretty normal stuff. I can't imagine any conflicts. (We do have a lot of exceptions in the Web Control policy, maybe I'll put a few workstations in a 'simpler policy' in KSC just for further testing.)

 

Cheers,

Edited by J. Earnhart

Share this post


Link to post

@Dmitry Eremeev: Please provide short information about how to create the logs you need and where to find the logfiles on disk or how to extract/save them.

 

BR

CG

Share this post


Link to post

Guys I found a work around to aviod the full procedure of REBOOT, UNINSTALL,RE-INSTALL...

 

Earnhart is correct, deleting the content of Report folder worked!!! (just tested on 3 PC)

 

I found this post http://support.kaspersky.co.uk/2760#block2 from where I found out I have to disable Self-Defence in order to delete the reports.

 

These are the steps I am doing on affected PC:

 

- Disable Self-Defence (I did it through the policy)

- Stop KES on the affected PC

- Delete the content of folder \\PCName\c$\ProgramData\Kaspersky Lab\KES10SP1\Report

- Restart KES on the affected PC

- Enable Self-Defence (I did it through the policy)

 

Hope it helps

 

Share this post


Link to post
Greetings,

Further testing and research have led me to some interesting discoveries.

 

1. All computers exhibiting this problem have a G_OBJDT.DAT file sized at the 32bit process file size limit of ~4GB. (displayed as 4,194,399KB)

 

2. I am able to 'recover' these computers by deleting all the content in the "C:\ProgramData\Kaspersky Lab\KES10SP1\Report" folder.

2a. I have to use SAFE MODE to do it, even TAKE OWNERSHIP fails when trying to delete these files normally.

2b. ***If there is a utility to delete/clean these files or perhaps a command prompt trick without safe mode, let me know please.*** I will research further.

2c. Afterwards, the Integrity Check is clean again. No more write errors.

2d. I got this idea from this forum post: https://forum.kaspersky.com/index.php?showtopic=353691

 

3. I believe this glitch is related to this thread as well: https://forum.kaspersky.com/index.php?showtopic=349090

3a. The final answer given was to REINSTALL the software. (which would delete the REPORTS directory.)

 

4. This explains why UPGRADING from MR2 to MR3 doesn't solve the problem. Upgrades do not delete the report files I bet. But a full uninstall will delete them.

 

5. I have begun 'spot-checking' workstations to document file-sizes of the G_OBJDT.DAT file. (4,195,238KB and 4,195,196KB are few more examples.)

5a. One KES10 client (integrity check still succeeds) was reinstalled on 9-6-2016 (16 days ago) and G_OBJDT.DAT is already 2.49GB in size. (power-user)

5b. Another KES10 client (integrity check still succeeds) that was originally installed 6-30-2016 (~82 days ago) is only 917KB in size. (barely used by interns)

5c. This leads me to conclude that it is activity-based. System Watcher logs? Unable to truncate/delete themselves when they reach max file size for a 32bit process (even on 64bit OS)?

 

Hope this helps narrow down the cause. The symptoms are strange for something as simple as an oversized/unwriteable log/report file, but I guess they are all interrelated somehow. We are a pretty simple environment. DELL hardware, Microsoft software, pretty normal stuff. I can't imagine any conflicts. (We do have a lot of exceptions in the Web Control policy, maybe I'll put a few workstations in a 'simpler policy' in KSC just for further testing.)

 

Cheers,

 

 

- Disable Self-Defence (I did it through the policy)

- Stop KES on the affected PC

- Delete the content of folder \\PCName\c$\ProgramData\Kaspersky Lab\KES10SP1\Report

- Restart KES on the affected PC

- Enable Self-Defence (I did it through the policy)

 

Hope it helps

Share this post


Link to post
- Disable Self-Defence (I did it through the policy)

- Stop KES on the affected PC

- Delete the content of folder \\PCName\c$\ProgramData\Kaspersky Lab\KES10SP1\Report

- Restart KES on the affected PC

- Enable Self-Defence (I did it through the policy)

 

Hope it helps

 

Thanks for the Self-Defence idea. It works.

Now if only I can figure out how to stop/start KES remotely from KSC, I could do this like a ninja while people are working on their computers. (stopping all components is not the same, I tried.)

Still a lot better than Safe Mode though! Thanks again.

Cheers,

Share this post


Link to post

see the image...

 

-Open Properties dialog of the PC (double-click the line from the Computer tab)

-Go to Applications tab

-Press reg red square button (STOP) on the top-right conber

 

cheers

post-607280-1474645050_thumb.png

Share this post


Link to post
see the image...

 

-Open Properties dialog of the PC (double-click the line from the Computer tab)

-Go to Applications tab

-Press reg red square button (STOP) on the top-right conber

 

cheers

 

Thanks again. Funny how you can use something for years, yet still not get around to seeing everything. Cheers.

 

Share this post


Link to post

Now let's hope Kaspersky developers figure this problem out before my license renewal time in early 2017. I'm testing Trend Micro out in a lab environment because of all the hassle and time I've spent on this and other issues related to faulty AV software. But at least I have a quicker way to deal with the issue...

 

I've looked inside a few of these G_OBJDT.DAT files and most of it is garbled, but I can see some EXE and DLL files referenced, along with some file paths and such. I have also noticed that KES10 starts up faster when it doesn't have to scan through a 4GB file during startup. And uses less memory too.

 

Just for fun, I found a Windows 7 workstation with KES10MR1 (10.2.1.23) still installed, and is used by a regular person (PC is not idle), and the G_OBJDT.DAT file was created in November of 2014 (nearly 2 years ago!) and is only 5.79MB in size. On another Win7 workstation but having KES10MR2 (10.2.4.674) installed, power-user, the file was created 6-28-16 (~3 months ago) and is only 2.38MB in size.

 

So all Kaspersky developers need to do is determine HOW or WHY that file is 'growing out of control' on Windows 10 and then release a patch or PF that deals with it, even if it is a simple process to truncate or delete the file if it grows past a certain size. Or if that process already exists, determine why it is failing to work properly on MR2 and MR3 on Windows 10 computers.

 

Thanks!

Share this post


Link to post

Orondelli, or to it may concern,

~30 days later....

I learn of a Private Fix that supposedly addresses this issue. Only works on MR3 installs. I tried it on MR2 and it failed to install. I am rolling it out and monitoring to see if it worked. It definitely doesn't delete/trim/truncate the existing files, but hopefully they stop increasing in size. Only time will tell.

 

I found out about it at POST#6 of this thread: https://forum.kaspersky.com/index.php?showtopic=358690

 

"Considering reports, there is a known issue that happens on some hosts with KES 10 SP1 MR3.

File g_objdt.dat in %ProgramData%\Kaspersky Lab\KES10SP1\Report may be growing despite the size limitations you set in the policy (certain entries ignore that limitation by design).

 

According to the known issue 1807440, you can remove this file if it causes concern (however it can only be deleted locally, after turning off Self-Defense).

If you see this issue reoccur often, please request a diagnostic patch pf1749 from CompanyAccount (state the issue number, pf, and provide a link to this topic). See if the issue reoccurs with the patch installed."

Share this post


Link to post
I also noticed when running Integrity Check task on the affected PC I get these warnings:

 

Event type: Module signature check failed

Application\Name: Kaspersky Endpoint Security 10 for Windows

Application\Path: c:\program files (x86)\kaspersky lab\kaspersky endpoint security 10 for windows sp1\

User: REGENTGAS\PMandair (Active user)

Component: Integrity check

Result\Description: Failed

Object: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\kneps_x64_602\kneps.sys

Object\Type: File

Object\Path: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\kneps_x64_602\

Object\Name: kneps.sys

 

Event type: Module signature check failed

Application\Name: Kaspersky Endpoint Security 10 for Windows

Application\Path: c:\program files (x86)\kaspersky lab\kaspersky endpoint security 10 for windows sp1\

User: REGENTGAS\PMandair (Active user)

Component: Integrity check

Result\Description: Failed

Object: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\klwfp_x64\klwfp.sys

Object\Type: File

Object\Path: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\klwfp_x64\

Object\Name: klwfp.sys

 

Event type: Module signature check failed

Application\Name: Kaspersky Endpoint Security 10 for Windows

Application\Path: c:\program files (x86)\kaspersky lab\kaspersky endpoint security 10 for windows sp1\

User: REGENTGAS\PMandair (Active user)

Component: Integrity check

Result\Description: Failed

Object: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\klim6_x64_602\klim6.sys

Object\Type: File

Object\Path: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\klim6_x64_602\

Object\Name: klim6.sys

 

Event type: Module signature check failed

Application\Name: Kaspersky Endpoint Security 10 for Windows

Application\Path: c:\program files (x86)\kaspersky lab\kaspersky endpoint security 10 for windows sp1\

User: REGENTGAS\PMandair (Active user)

Component: Integrity check

Result\Description: Failed

Object: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\klfltdev_x64_602\klfltdev.sys

Object\Type: File

Object\Path: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\klfltdev_x64_602\

Object\Name: klfltdev.sys

 

Event type: Module signature check failed

Application\Name: Kaspersky Endpoint Security 10 for Windows

Application\Path: c:\program files (x86)\kaspersky lab\kaspersky endpoint security 10 for windows sp1\

User: REGENTGAS\PMandair (Active user)

Component: Integrity check

Result\Description: Failed

Object: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\klif_x64_nt602\klflt.sys

Object\Type: File

Object\Path: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\klif_x64_nt602\

Object\Name: klflt.sys

 

Event type: Module signature check failed

Application\Name: Kaspersky Endpoint Security 10 for Windows

Application\Path: c:\program files (x86)\kaspersky lab\kaspersky endpoint security 10 for windows sp1\

User: REGENTGAS\PMandair (Active user)

Component: Integrity check

Result\Description: Failed

Object: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\klif_x64_nt602\klif.sys

Object\Type: File

Object\Path: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\klif_x64_nt602\

Object\Name: klif.sys

so it looks like KES get corrupted after a few weeks!

 

Hello.

 

Have you tried using the newest KES release?

 

That might help.

Share this post


Link to post
Hi guys,

 

any news???? I am still having this issue. Very frustrating!

 

Thanks

 

Please see J.Earnhart's post for a suggestion (issue solved by using KES 10 SP1 MR2 + pf1749).

Let us know if you are able to resolve it this way.

 

Thank you.

Share this post


Link to post
Please see J.Earnhart's post for a suggestion (issue solved by using KES 10 SP1 MR2 + pf1749).

Let us know if you are able to resolve it this way.

 

Thank you.

 

I doe NOT work. The patch is just a report collector for Kaspersky team.

 

:angry: :angry: :angry:

Share this post


Link to post
I doe NOT work. The patch is just a report collector for Kaspersky team.

 

:angry: :angry: :angry:

 

pf1885 has been created in order to fix the issue, and can be requested via CompanyAccount. During its installation, it removes the corrupted file and patches KES.

Installation on a test set of nodes first is advised.

 

Thank you.

Share this post


Link to post
pf1885 has been created in order to fix the issue, and can be requested via CompanyAccount. During its installation, it removes the corrupted file and patches KES.

Installation on a test set of nodes first is advised.

 

Thank you.

 

 

 

I was talking about patch pf1749.... I will try pf1885.

 

thanks

 

 

 

Edited by orondelli

Share this post


Link to post
Hello,

 

wait results from you.

 

Patch pf1885 installed but g_objdt.dat is still there on the client PC and it seems to be growing... I will try to delete the file manually a restart the PC.

Share this post


Link to post
Patch pf1885 installed but g_objdt.dat is still there on the client PC and it seems to be growing... I will try to delete the file manually a restart the PC.

 

It appears that you never mention which version of KES you have installed (SP1 or SP1 MR2 or SP1 MR3). The patch is designated for the latter.

Also, a new version KES SP2 has been released, in which no such issue has been reported. If possible, please upgrade a test host to check if this solves your issue.

 

Thank you.

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.