Jump to content
george.h

KES10 Shutting Down Already ON Systems [2001969]

Recommended Posts

Hi,

 

As Ivan Ponomarev stated above, turn on is applied via WOL, exactlier magic packet and to shut down - the machine with KES receives the command shutdown -f.

 

To figure out what is going wrong please collect admin server+admin server networkagent traces, KES+network agent traces from local host while the issue reoccurs.

 

Thank you!

 

Ok - In preparation for full testing and trace file generation, I've set up a Test Group. I've configured two test tasks, one Update task and one Virus Scan task. Both are configured (initially) with "Activate Computer" enabled, "Turn off computer after task is complete" disabled. I also have a Windows 7 Pro (32 bit) test bed machine which I've added to the group. This is on the local LAN so I can reliably turn it on/off and manage it using either KSC, standard WOL utilities and remote desktop.

 

This will allow me to do testing without getting bombarded with complaints from users about their machines shutting down on them. I can also vary the schedule as much as I like and with each task running as little or often as I need.

 

Testing and production of trace files may take a while. I'm on holiday for most of the next two weeks over Christmas, from Monday 19th December 2016 until Tuesday 3rd January 2017.

 

I have a "Company Account" setup under the email on my profile so will need a ticket generating on there for me to send the trace files in.

Edited by george.h

Share this post


Link to post
Ok - In preparation for full testing and trace file generation, I've set up a Test Group. I've configured two test tasks, one Update task and one Virus Scan task. Both are configured (initially) with "Activate Computer" enabled, "Turn off computer after task is complete" disabled. I also have a Windows 7 Pro (32 bit) test bed machine which I've added to the group. This is on the local LAN so I can reliably turn it on/off and manage it using either KSC, standard WOL utilities and remote desktop.

 

This will allow me to do testing without getting bombarded with complaints from users about their machines shutting down on them. I can also vary the schedule as much as I like and with each task running as little or often as I need.

 

Testing and production of trace files may take a while. I'm on holiday for most of the next two weeks over Christmas, from Monday 19th December 2016 until Tuesday 3rd January 2017.

 

I have a "Company Account" setup under the email on my profile so will need a ticket generating on there for me to send the trace files in.

Hi,

 

We will be waiting for traces from you.

 

Thank you!

Share this post


Link to post
Hi,

 

We will be waiting for traces from you.

 

Thank you!

 

Hi Konstantin,

 

I've opened the ticket via "Company Account": INC000007110573

 

I've put the salient details into the ticket, plus a link to this thread. I've also mentioned that due to the Christmas holiday period it may be up to two weeks before I can actually generate and post trace logs.

 

MINOR UPDATE: My test PC in my Test Group ran it's Test Virus Scan Task today, with only the "Activate computer before the task..." option enabled (i.e. wake up endpoint using WOL), and the "Shutdown computer after task is complete" option DISABLED, and right on queue at the end of the scan it SHUTDOWN!

 

Share this post


Link to post
Hi Konstantin,

 

I've opened the ticket via "Company Account": INC000007110573

 

I've put the salient details into the ticket, plus a link to this thread. I've also mentioned that due to the Christmas holiday period it may be up to two weeks before I can actually generate and post trace logs.

 

MINOR UPDATE: My test PC in my Test Group ran it's Test Virus Scan Task today, with only the "Activate computer before the task..." option enabled (i.e. wake up endpoint using WOL), and the "Shutdown computer after task is complete" option DISABLED, and right on queue at the end of the scan it SHUTDOWN!

Thank you for information. Wait for answer in the incident.

Share this post


Link to post
Thank you for information. Wait for answer in the incident.

 

Well the latest is that I was informed via the Company Account incident that this was a "known issue" and to try the "fixed" version of "klcsnagt.dll" attached to the incident. Didn't make the slightest difference.

 

If you have "Activate compute before task" enabled, then it doesn't matter what you have "Shutdown computer after task" set to, or whether the PC was on or off before hand, Kaspersky WILL ALWAYS shut it down.

 

Can you confirm that Kaspersky have actually verified, in their own labs using this version of KSC, KLNA and KES, that it actually WORKS and DOES NOT shut down PCs it is not supposed to? If not then before asking for traces you actually need to test it yourselves.

 

We're customers, not guinea pigs!

 

Share this post


Link to post
Please wait for reply within the incident.

 

BR

 

Well this is interesting...

 

The last update I had via Company Account under incident INC000007110573 was that they would keep the incident open until KSC10 patch "b" (which I see has just finished beta testing) was released and I'd tried it.

 

Well as far as I'm aware it hasn't been released, yet, but the incident has been marked as "resolved" - no it hasn't - and "closed". Why?

 

Share this post


Link to post
Well this is interesting...

 

The last update I had via Company Account under incident INC000007110573 was that they would keep the incident open until KSC10 patch "b" (which I see has just finished beta testing) was released and I'd tried it.

 

Well as far as I'm aware it hasn't been released, yet, but the incident has been marked as "resolved" - no it hasn't - and "closed". Why?

 

Hello.

 

Apparently you have been provided a workaround in the incident, which you have confirmed to be working. Patch B release in this case should make this workaround redundant and resolve the issue.

Incidents are closed automatically when no activity is happening within them. Patch B is not being released within the incident, which is why it got closed.

 

Thank you.

Share this post


Link to post
Hello.

 

Apparently you have been provided a workaround in the incident, which you have confirmed to be working. Patch B release in this case should make this workaround redundant and resolve the issue.

Incidents are closed automatically when no activity is happening within them. Patch B is not being released within the incident, which is why it got closed.

 

Thank you.

 

Erm... Not quite correct.

 

The "workaround" did NOT work. The DLL I was subsequently sent, which was supposed to be identical to the first, only with increased logging capability, behaved very differently. That one was NOT supplied as a workaround, merely to try and obtain more data. Clearly there is difference between the two that affected the problem, when the two DLLs were supposed to be otherwise IDENTCIAL.

 

No explanation has been given for the difference in behaviour, which means it merely HAPPENS to have MADE THE PROBLEM GO AWAY. There is a HUGE difference between fixing a problem and just making it go away. That difference is understanding what was causing the problem. Fixing the problem requires understanding. Making it go away involves "fiddling about" until it seems to work WITHOUT ANY UNDERSTANDING of why.

 

Without an explanation you've just happen to have made the problem go away, with a DLL which was supposed to be identical to the "workaround", which didn't work, but clearly wasn't.

 

Let me be very clear - the DLL supplied as a workaround DID NOT WORK.

Edited by george.h

Share this post


Link to post

Hi,

 

Why didn't you inform that within the incident you've created?

The last message was on 17th January.

 

BR

Share this post


Link to post
Hi,

 

Why didn't you inform that within the incident you've created?

The last message was on 17th January.

 

BR

 

Erm.... I did!

 

The assumption from the Kaspersky side seemed to be that the second DLL (the one which wasn't supposed to fix the problem, just provide more information on why the DLL which WAS supposed to didn't) would be used, after investigation as to why it DID seem to fix the problem but the supposed fix didn't, in patch B.

 

It was left as the incident would be left open pending the release of patch B and my verifying it:

 

"Jan 12, 2017, 12:28:08 PM

Hi Akil,

 

Attached are the results from the first tests using the klcsnagt.dll file you supplied. One ZIP is the standard GSI report, the other contains ALL the log files produced by the agent will trace turned on. This test was with the machine already powered on but nobody logged on.

 

There is definitely something different going on with this DLL. Right up to the point at which I swapped the DLL over (stopped main Kaspersky, the klnagent.exe service, renamed the old DLL, dropped in the new one and started klnagent.exe and main Kaspersky again) it was being shut down after the update task if already powered up but nobody logged on. With the new DLL it STAYED ON even with no use logged in! So not sure what the traces will reveal as it seems to be working how I would expect it to - so far - if working properly."

 

The OLD DLL in the quote above is the ORIGINAL DLL supplied as a workaround. The NEW DLL is the second DLL supplied which was supposed to be IDENTICAL to the first, just with increased logging capability to help determine why the supposed workaround didn't work.

 

 

"Jan 17, 2017, 12:57:10 PM

Hi George,

 

Thanks fro your reply, I will let you know when it is released and keep this case open until you have tried the patch and it has resolved your issue.

 

Kind regards

 

Akil"

 

Above is the last communication I had via Company Account

 

My concern is WHICH of those two DLLs is the one incorporated into patch B? The first which is supposed to be the fix but doesn't work, or the second which is supposed to be the first just with increased logging but actually seems to work (for reasons which have not been explained)?

Edited by george.h

Share this post


Link to post
Erm.... I did!

 

The assumption from the Kaspersky side seemed to be that the second DLL (the one which wasn't supposed to fix the problem, just provide more information on why the DLL which WAS supposed to didn't) would be used, after investigation as to why it DID seem to fix the problem but the supposed fix didn't, in patch B.

 

It was left as the incident would be left open pending the release of patch B and my verifying it:

 

"Jan 12, 2017, 12:28:08 PM

Hi Akil,

 

Attached are the results from the first tests using the klcsnagt.dll file you supplied. One ZIP is the standard GSI report, the other contains ALL the log files produced by the agent will trace turned on. This test was with the machine already powered on but nobody logged on.

 

There is definitely something different going on with this DLL. Right up to the point at which I swapped the DLL over (stopped main Kaspersky, the klnagent.exe service, renamed the old DLL, dropped in the new one and started klnagent.exe and main Kaspersky again) it was being shut down after the update task if already powered up but nobody logged on. With the new DLL it STAYED ON even with no use logged in! So not sure what the traces will reveal as it seems to be working how I would expect it to - so far - if working properly."

 

The OLD DLL in the quote above is the ORIGINAL DLL supplied as a workaround. The NEW DLL is the second DLL supplied which was supposed to be IDENTICAL to the first, just with increased logging capability to help determine why the supposed workaround didn't work.

"Jan 17, 2017, 12:57:10 PM

Hi George,

 

Thanks fro your reply, I will let you know when it is released and keep this case open until you have tried the patch and it has resolved your issue.

 

Kind regards

 

Akil"

 

Above is the last communication I had via Company Account

 

My concern is WHICH of those two DLLs is the one incorporated into patch B? The first which is supposed to be the fix but doesn't work, or the second which is supposed to be the first just with increased logging but actually seems to work (for reasons which have not been explained)?

Hi,

 

We doesn't have information which of these two dll's was included in Patch B, but developers said that this problem was fixed in Patch B.

 

Thank you!

Share this post


Link to post
Hi,

 

We doesn't have information which of these two dll's was included in Patch B, but developers said that this problem was fixed in Patch B.

 

Thank you!

 

Ok, so when is patch B going to be released? KLNA on all of my endpoints are still on patch A and the post about beta testing of patch B:

 

https://forum.kaspersky.com/index.php?showtopic=364395

 

said the release date would be announced soon, but I've not spotted anything.

 

Regards

George

Share this post


Link to post
Hi,

 

Patch B is already released.

http://support.kaspersky.com/13356

 

BR

 

Thanks for the link Artem. It might be useful if someone updated the beta testing post Patch B Beta Testing saying that the patch has been released.

 

Shame it is not an auto-patch. Too much manual faffing about with patches while effort seems to be devoted to non-core functionality. Stick to anti-virus/anti-malware and stop trying to do everything...

 

Share this post


Link to post
Thanks for the link Artem. It might be useful if someone updated the beta testing post Patch B Beta Testing saying that the patch has been released.

 

Shame it is not an auto-patch. Too much manual faffing about with patches while effort seems to be devoted to non-core functionality. Stick to anti-virus/anti-malware and stop trying to do everything...

 

Please let us know if you have been able to resolve the issue using this patch.

 

Thank you!

Share this post


Link to post
Please let us know if you have been able to resolve the issue using this patch.

 

Thank you!

 

In a word NO.

 

It is an improvement, but it still appears to shut down machines which were already on, but no user logged on - but not all of them. I need to roll out the patch to some more machines and do some more testing to determine why some were shut down and some not. Not being able to predict the circumstances under which it will or will not shut a machine down is really shoddy.

 

It is also becoming somewhat tedious being repeatedly asked for trace logs for this issue, supplying them, sent DLLs to test which are allegedly different only in logged level but in reality are very different, getting no answers, being told it has been fixed when clearly it has not, and insufficiently tested for this issue before being released.

 

I also notice that the "sticky" post about the beta testing of this patch still says:

 

"Please be kindly informed that we have finished testing of patch 'b" for KSC10 SP2.

We will announce the official release soon."

 

i.e. NO statement that it HAS been released. Or does this actually refer to a completely different patch "b". Your convention for naming patches and releases has become, shall we say, rather convoluted and hard to follow.

Edited by george.h

Share this post


Link to post
In a word NO.

 

It is an improvement, but it still appears to shut down machines which were already on, but no user logged on - but not all of them. I need to roll out the patch to some more machines and do some more testing to determine why some were shut down and some not. Not being able to predict the circumstances under which it will or will not shut a machine down is really shoddy.

 

It is also becoming somewhat tedious being repeatedly asked for trace logs for this issue, supplying them, sent DLLs to test which are allegedly different only in logged level but in reality are very different, getting no answers, being told it has been fixed when clearly it has not, and insufficiently tested for this issue before being released.

 

I also notice that the "sticky" post about the beta testing of this patch still says:

 

"Please be kindly informed that we have finished testing of patch 'b" for KSC10 SP2.

We will announce the official release soon."

 

i.e. NO statement that it HAS been released. Or does this actually refer to a completely different patch "b". Your convention for naming patches and releases has become, shall we say, rather convoluted and hard to follow.

 

Patch B has been released: http://support.kaspersky.com/13356

Beta testing forum information is only relevant to beta testing matters; it is not used as a means to announce commercial releases or anything not related to the testing itself or its completion.

Specific questions like changes in versions of a certain driver should be addressed within CompanyAccount incidents.

 

Thank you.

Share this post


Link to post
Patch B has been released: http://support.kaspersky.com/13356

Beta testing forum information is only relevant to beta testing matters; it is not used as a means to announce commercial releases or anything not related to the testing itself or its completion.

Specific questions like changes in versions of a certain driver should be addressed within CompanyAccount incidents.

 

Thank you.

 

Hi Kirill,

 

I appreciate your reply, but it might help if you had read some of the thread.

 

I DID raise a Company Account incident at the point (somewhere on page 1 I think) were I was asked to provide trace logs for this issue (the forum attachment restrictions make almost impossible to send these logs via the forum). That incident has now been closed as "fixed" by a patch which had not been release (at that point). The DLLs I referred do were sent to me VIA the (now closed by Kaspersky) Company Account incident.

 

My comments about the release of patch B relate to the fact that in the last message I received via the Company Account incident, I was told it would be kept open until the patch was released. I was not told it had been released, and the only reference I could find to it was the beta testing post which said the "release date would be announced". I don't think burying the fact it has been released under the long "version information" topic counts as an "announcement". All it needed was a single line in the beta testing post to say "Now released dd/mm/yyyy" and giving a link to it. Is that SO much to ask?

 

Meanwhile I have an issue which appears to be ongoing, you've closed the Company Account incident relating to it and I am one very, very unhappy customer.

Edited by george.h

Share this post


Link to post
Hi Kirill,

 

I appreciate your reply, but it might help if you had read some of the thread.

 

I DID raise a Company Account incident at the point (somewhere on page 1 I think) were I was asked to provide trace logs for this issue (the forum attachment restrictions make almost impossible to send these logs via the forum). That incident has now been closed as "fixed" by a patch which had not been release (at that point). The DLLs I referred do were sent to me VIA the (now closed by Kaspersky) Company Account incident.

 

My comments about the release of patch B relate to the fact that in the last message I received via the Company Account incident, I was told it would be kept open until the patch was released. I was not told it had been released, and the only reference I could find to it was the beta testing post which said the "release date would be announced". I don't think burying the fact it has been released under the long "version information" topic counts as an "announcement". All it needed was a single line in the beta testing post to say "Now released dd/mm/yyyy" and giving a link to it. Is that SO much to ask?

 

Meanwhile I have an issue which appears to be ongoing, you've closed the Company Account incident relating to it and I am one very, very unhappy customer.

 

Hello,

 

please create a new incident in CA and give a refer to the previous incident.

Summary text is sufficient to be filled :

patch B didn't help to solve the issue.

 

Sorry for the inconvenience caused.

Share this post


Link to post

We are having random restarts on machines with Agent 10.3.407

The Kaspersky Event log shows this normally when it happens:

 

The process C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klnagent.exe (POTTER) has initiated the shutdown of computer POTTER on behalf of user NT AUTHORITY\SYSTEM for the following reason: Legacy API shutdown

Reason Code: 0x80070000

Shutdown Type: shutdown

Comment: Kaspersky AdminKit shutdown signal.

The Update task "did" have the option ON "Activate computer before the task is started by the Wake On LAN function"

I recently removed the check and have not had a restart yet (only about 24 hrs).

We have over 4000 machines and work 24x7 and it takes a VERY long time to upgrade Agent.

So before I apply patch B, does it really work for the restart or Shutdown issue?

 

Share this post


Link to post
We are having random restarts on machines with Agent 10.3.407

The Kaspersky Event log shows this normally when it happens:

 

The process C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klnagent.exe (POTTER) has initiated the shutdown of computer POTTER on behalf of user NT AUTHORITY\SYSTEM for the following reason: Legacy API shutdown

Reason Code: 0x80070000

Shutdown Type: shutdown

Comment: Kaspersky AdminKit shutdown signal.

The Update task "did" have the option ON "Activate computer before the task is started by the Wake On LAN function"

I recently removed the check and have not had a restart yet (only about 24 hrs).

We have over 4000 machines and work 24x7 and it takes a VERY long time to upgrade Agent.

So before I apply patch B, does it really work for the restart or Shutdown issue?

 

Hello,

 

please attach export of the task, export of the task result and Kaspersky event log, where are displayed events of random restarts.

Please describe your problem with more details.

What did you try to resolve it already ?

Thank you.

 

Share this post


Link to post
Hello,

 

please attach export of the task, export of the task result and Kaspersky event log, where are displayed events of random restarts.

Please describe your problem with more details.

What did you try to resolve it already ?

Thank you.

I attached the Update Task and Scan task

Keep in mind that it is affecting a small number of the 4000 Workstations we have.

The error I put in the above message is from the Windows event log.

The Kaspersky Event log in the Kaspersky Client and Security center shows almost nothing.

The only thing I have done is remove the check in Wake up before the Scan task.

SC_KES10.2.4.647WksFriScanTask.txt

SCKES1024647UpdateTask.txt

Share this post


Link to post

Hi,

 

So this problem affects only small number of 4000 PCs?

Are these machines work under the same policy?

Have this issue occurred on the same machines and on every task starting?

 

BR

Share this post


Link to post
Hi,

 

So this problem affects only small number of 4000 PCs?

Are these machines work under the same policy?

Have this issue occurred on the same machines and on every task starting?

 

BR

All Workstations are under the same Policies.

It seems random but at least one machine reboot at least once a week with the message:

System Log

2/24 8:37:52PM The process C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klnagent.exe (UAPGAS2-OFF1) has initiated the shutdown of computer UAPGAS2-OFF1 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Legacy API shutdown

Reason Code: 0x80070000

Shutdown Type: shutdown

Comment: Kaspersky AdminKit shutdown signal.

 

The Kaspersky application log on the device only has this a min before the shutdown:

Kaspersky Log

2/24 8:06:04PM Kaspersky Endpoint Security 10 for Windows (10.2.4.674): Task "SC-KES10.2.4.674 WksFriScan" started

2/24 8:36:52PM Kaspersky Endpoint Security 10 for Windows (10.2.4.674): Task "SC-KES10.2.4.674 WksFriScan" completed

2/24 8:37:54PM Product 'Kaspersky Endpoint Security 10 for Windows' has stopped

 

The other Windows event logs only show that services are being unloaded for the shutdown event.

 

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.