Jump to content
george.h

WOL Unreliable with KES 10.2.5.3201 [In progress] [INC000007828983]

Recommended Posts

Hi,

 

Some while ago, after much frustration and trace logs (via Company account) we finally seemed to get a version of KES/KLNA in which WOL was working again, these being 10.2.5.3201 for KES and 10.3.407 for KSC/KLNA.

 

Unfortunately over the past 3-4 weeks I've noticed it is broken - again.

 

I have two tasks using WOL, an update task which runs at 23:15 every night and a virus scan which runs at 00:15. Some machines now are NOT being woken up for the 23:15 update task. It is NOT always the same machines and NOT all the time. It had been working OK (I won't say well, as it used to be working beautifully before you broke it last time and the "fixed" version has only been "so-so"). So what has broken on it now?

 

I've checked the event logs on a couple of these machines today. The users shut them down before going home yesterday, and they were woken up to do the virus scan at 00:15 this morning. However, there is not a trace of them being woken up for the preceding update at 23:15. All the other endpoint in the same group worked OK (some where left on by their users, others were woken up by both tasks).

 

If I can't depend upon WOL working then I'm back to running updates and virus scans (which STILL cripples endpoints) during the working day, which is not acceptable.

 

I've also noticed that on these machines which appear to have "missed" their update task, if I run it manually they shutdown immediately afterwards, even though they are already on and a user logged on!

 

Any suggestions?

 

Also, why after I rolled out 10.2.5.3201 do some endpoints report as being "MR3" in the KSC version report and other as "MR2, MR3". All had MR3 rolled out to them in the same manner - uninstall, reinstall.

 

All endpoints are running 10.2.5.3201, KSC is 10.3.407 and KLNA on all is 10.3.407 with patches a and b.

Share this post


Link to post
Hi,

 

Some while ago, after much frustration and trace logs (via Company account) we finally seemed to get a version of KES/KLNA in which WOL was working again, these being 10.2.5.3201 for KES and 10.3.407 for KSC/KLNA.

 

Unfortunately over the past 3-4 weeks I've noticed it is broken - again.

 

I have two tasks using WOL, an update task which runs at 23:15 every night and a virus scan which runs at 00:15. Some machines now are NOT being woken up for the 23:15 update task. It is NOT always the same machines and NOT all the time. It had been working OK (I won't say well, as it used to be working beautifully before you broke it last time and the "fixed" version has only been "so-so"). So what has broken on it now?

 

I've checked the event logs on a couple of these machines today. The users shut them down before going home yesterday, and they were woken up to do the virus scan at 00:15 this morning. However, there is not a trace of them being woken up for the preceding update at 23:15. All the other endpoint in the same group worked OK (some where left on by their users, others were woken up by both tasks).

 

If I can't depend upon WOL working then I'm back to running updates and virus scans (which STILL cripples endpoints) during the working day, which is not acceptable.

 

I've also noticed that on these machines which appear to have "missed" their update task, if I run it manually they shutdown immediately afterwards, even though they are already on and a user logged on!

 

Any suggestions?

 

Also, why after I rolled out 10.2.5.3201 do some endpoints report as being "MR3" in the KSC version report and other as "MR2, MR3". All had MR3 rolled out to them in the same manner - uninstall, reinstall.

 

All endpoints are running 10.2.5.3201, KSC is 10.3.407 and KLNA on all is 10.3.407 with patches a and b.

 

Hello!

 

Please tell us, is there any possibility to update your KSC to the newest version?

 

Thanks!

Share this post


Link to post
Hello!

 

Please tell us, is there any possibility to update your KSC to the newest version?

 

Thanks!

 

Hi Ivan,

 

I'm planning to do that this weekend (6th/7th May). Do you have any firm information that this issue (or at least WOL issues) have been addressed by the latest version? Or will it be, as before when I updated to 10.2.5.3201/10.3.407, updating in "blind hope" that it will fix "something", possibly to find out it doesn't fix it at all?

 

Regards

George

Share this post


Link to post
Hi Ivan,

 

I'm planning to do that this weekend (6th/7th May). Do you have any firm information that this issue (or at least WOL issues) have been addressed by the latest version? Or will it be, as before when I updated to 10.2.5.3201/10.3.407, updating in "blind hope" that it will fix "something", possibly to find out it doesn't fix it at all?

 

Regards

George

 

The latest patch B for the 10.3 version was included into KSC10SP2MR1. This patch should have solved this issue.

 

In any case, if we want to investigate this problem deeply, we need first to update KSC to the latest version posible.

 

Thanks!

Share this post


Link to post
The latest patch B for the 10.3 version was included into KSC10SP2MR1. This patch should have solved this issue.

 

In any case, if we want to investigate this problem deeply, we need first to update KSC to the latest version posible.

 

Thanks!

 

Hi Ivan,

 

Could you just clarify, when say KSC10SP2MR1 do you mean KSC 10.3.407 (with patches A and B)?

 

If it is, then that is what we are running and all the clients are running KLNA 10.3.407 (with patches A and B). I've attached a version report for you.

 

If not, then please state which VERSION you mean. I can’t see anything in the software version repot which allows me to find out anything other than the version number, so have no way (that I can find) to identify what SP and MR it is.

 

Also, while I think it is probably related to the earlier WOL issue, it is not quite the same.

 

The earlier issue affected virtually all endpoints and related to them either not being shutdown at all after a task has run (when configured to wake them up via WOL). Or it would shut ALL of them down even those already on.

 

This one is subtler. It only affects some machines and not in a consistent manner.

 

For instance, today of the 13 machines in the main management group all but 3 had worked (reasonably) correctly. Two of the three indicated that the last update was 2 days ago (it runs every 24 hours), and the third said 3 days. When I checked their event logs, there was indication of them being woken up for that task. Yet all 13 machines (some off and woken with WOL, others already on) did run the virus scan task scheduled for about an hour later.

 

It is the peculiarity of most machines happily being woken (if needed) for both tasks, and yet others will only be woken (if needed) for the second. And not always the same machines or every time.

 

I ran out of time to update the latest release last weekend but will tomorrow and see what happens.

Kaspersky_Lab_software_version_report__12_05_2017_10_49_39_.zip

Share this post


Link to post
...

For instance, today of the 13 machines in the main management group all but 3 had worked (reasonably) correctly. Two of the three indicated that the last update was 2 days ago (it runs every 24 hours), and the third said 3 days. When I checked their event logs, there was indication of them being woken up for that task. Yet all 13 machines (some off and woken with WOL, others already on) did run the virus scan task scheduled for about an hour later.

...

 

Just spotted a typo in the third sentence. Where it says "there was indication of them being woken up for that task", it should read "there was NO indication".

Share this post


Link to post
Hi Ivan,

 

Could you just clarify, when say KSC10SP2MR1 do you mean KSC 10.3.407 (with patches A and B)?

 

If it is, then that is what we are running and all the clients are running KLNA 10.3.407 (with patches A and B). I've attached a version report for you.

 

If not, then please state which VERSION you mean. I can’t see anything in the software version repot which allows me to find out anything other than the version number, so have no way (that I can find) to identify what SP and MR it is.

 

Also, while I think it is probably related to the earlier WOL issue, it is not quite the same.

 

The earlier issue affected virtually all endpoints and related to them either not being shutdown at all after a task has run (when configured to wake them up via WOL). Or it would shut ALL of them down even those already on.

 

This one is subtler. It only affects some machines and not in a consistent manner.

 

For instance, today of the 13 machines in the main management group all but 3 had worked (reasonably) correctly. Two of the three indicated that the last update was 2 days ago (it runs every 24 hours), and the third said 3 days. When I checked their event logs, there was indication of them being woken up for that task. Yet all 13 machines (some off and woken with WOL, others already on) did run the virus scan task scheduled for about an hour later.

 

It is the peculiarity of most machines happily being woken (if needed) for both tasks, and yet others will only be woken (if needed) for the second. And not always the same machines or every time.

 

I ran out of time to update the latest release last weekend but will tomorrow and see what happens.

 

Hello!

 

KSC 10SP2MR1 has build version 10.4.343

 

As I have understood, you are up to update all the agents and your KSC to this version, right?

 

Thanks!

Share this post


Link to post
Hello!

 

KSC 10SP2MR1 has build version 10.4.343

 

As I have understood, you are up to update all the agents and your KSC to this version, right?

 

Thanks!

 

Hi Ivan,

 

Clearly when you state KSC 10SP2MR1 it is meaningless. I think it would be far better to just quote the version number. Then we both know what we are referring to, as I could find NOTHING to indicate what version KSC 10SP2MR1 is.

So no you have not understood. We are running the versions stated in my original post - KES 10.2.5.3201, KSC 10.3.407 and KLNA 10.3.407. Your nomenclature clearly isn't working well. All of this was also in the version report I attached.

 

Unfortunately my planned upgrading to the current release was put on hold due to the Wannacry incident - which didn't affect us but still required appropriate urgent checks to be made over the weekend which took priority.

 

So hopefully I'll get it done this weekend.

Edited by george.h

Share this post


Link to post
Hi,

 

Some while ago, after much frustration and trace logs (via Company account) we finally seemed to get a version of KES/KLNA in which WOL was working again, these being 10.2.5.3201 for KES and 10.3.407 for KSC/KLNA.

 

Unfortunately over the past 3-4 weeks I've noticed it is broken - again.

 

I have two tasks using WOL, an update task which runs at 23:15 every night and a virus scan which runs at 00:15. Some machines now are NOT being woken up for the 23:15 update task. It is NOT always the same machines and NOT all the time. It had been working OK (I won't say well, as it used to be working beautifully before you broke it last time and the "fixed" version has only been "so-so"). So what has broken on it now?

 

I've checked the event logs on a couple of these machines today. The users shut them down before going home yesterday, and they were woken up to do the virus scan at 00:15 this morning. However, there is not a trace of them being woken up for the preceding update at 23:15. All the other endpoint in the same group worked OK (some where left on by their users, others were woken up by both tasks).

 

If I can't depend upon WOL working then I'm back to running updates and virus scans (which STILL cripples endpoints) during the working day, which is not acceptable.

 

I've also noticed that on these machines which appear to have "missed" their update task, if I run it manually they shutdown immediately afterwards, even though they are already on and a user logged on!

 

Any suggestions?

 

Also, why after I rolled out 10.2.5.3201 do some endpoints report as being "MR3" in the KSC version report and other as "MR2, MR3". All had MR3 rolled out to them in the same manner - uninstall, reinstall.

 

All endpoints are running 10.2.5.3201, KSC is 10.3.407 and KLNA on all is 10.3.407 with patches a and b.

 

Hello,

 

please update KSC and agent versions to identical patch level.

It's impossible to guarantee proper work if KSC server and all agent versions mismatch.

Is it possible to schedule update task in working hours ? The task is not resource-consuming.

Thank you.

 

Share this post


Link to post
Hello,

 

please update KSC and agent versions to identical patch level.

It's impossible to guarantee proper work if KSC server and all agent versions mismatch.

Is it possible to schedule update task in working hours ? The task is not resource-consuming.

Thank you.

 

Hi Dmitry,

 

Erm as per my original post (and the Kaspersky Software Version Report I attached in an earlier post), KSC and agents ARE all currently at the same version and patch level, 10.3.407 with patches A and B. It used to be perfectly possible to schedule updates during working hours.

 

The task itself may not be resource consuming, but running around after it checking that all machines have been updated, powering up those machines that were off and updating them IS. That is when, quite some time ago, I started using WOL, which worked beautifully. That is until Kaspersky broke the WOL functionality (which I raised some while ago in another incident).

 

While WOL was working fine I had two updates, one at 11:00am and one at 11:00pm. WOL ensured all endpoints received both updates. If a PC was off, it was woken up, updated, then shut down again. If it was already on, it was updated and left as-is. It also worked great for running daily virus scans which are very resource consuming. They are now scheduled for 00:15 and depend upon WOL.

 

Then something happened and WOL stopped working. At first it stopped shutting machines down that it had woken up, which annoyed our lab staff as they didn't like some of the USB powered spectrometers being left on when not in use, especially over weekends and holidays. They wanted them shutdown.

 

The first attempt at fixing this (again this is all history from a previous incident) was even worse. It would power machines up, do the update, then power them down. Except it would power them ALL down, in the middle of the day, even with users logged on whether they had been powered up with WOL or not. That is how I ended up on KSC/KLNA 10.3.407 (with patches A and B ) which SORT of fixed it, but not very well.

 

Since then it had been happily running the update at 11:00pm and the virus scan at 00:15, powering machines up if needed and powering them down again afterwards. NOT powering them down if a user was logged on was still too flaky and unreliable for me to risk running this during working hours.

 

Now we have the current situation where machines get powered up fine for the virus scan, but it has mysteriously stopped running the update task on random machines, whether they are on or off. If on, it just randomly doesn't do the update, sometimes for over 3 days. On machines that are off, it doesn't trigger WOL to wake them up for the update, but DOES for the virus scan.

 

In addition, those machines it has been failing to run the update task on, if I manually run the update it shuts the machine down afterwards, even though they are already on - but not always if a user is logged on. But sometimes even if a user IS logged on, it still shuts down the endpoint.

 

So now we are here. Today I'm just about to upgrade KSC to 10.4.343, and KES to 10.3.0.6294 (and presumably KLNA to 10.4.343).

 

We shall see what, if any, effect that has.

 

Share this post


Link to post
Hi Dmitry,

 

Erm as per my original post (and the Kaspersky Software Version Report I attached in an earlier post), KSC and agents ARE all currently at the same version and patch level, 10.3.407 with patches A and B. It used to be perfectly possible to schedule updates during working hours.

 

The task itself may not be resource consuming, but running around after it checking that all machines have been updated, powering up those machines that were off and updating them IS. That is when, quite some time ago, I started using WOL, which worked beautifully. That is until Kaspersky broke the WOL functionality (which I raised some while ago in another incident).

 

While WOL was working fine I had two updates, one at 11:00am and one at 11:00pm. WOL ensured all endpoints received both updates. If a PC was off, it was woken up, updated, then shut down again. If it was already on, it was updated and left as-is. It also worked great for running daily virus scans which are very resource consuming. They are now scheduled for 00:15 and depend upon WOL.

 

Then something happened and WOL stopped working. At first it stopped shutting machines down that it had woken up, which annoyed our lab staff as they didn't like some of the USB powered spectrometers being left on when not in use, especially over weekends and holidays. They wanted them shutdown.

 

The first attempt at fixing this (again this is all history from a previous incident) was even worse. It would power machines up, do the update, then power them down. Except it would power them ALL down, in the middle of the day, even with users logged on whether they had been powered up with WOL or not. That is how I ended up on KSC/KLNA 10.3.407 (with patches A and B ) which SORT of fixed it, but not very well.

 

Since then it had been happily running the update at 11:00pm and the virus scan at 00:15, powering machines up if needed and powering them down again afterwards. NOT powering them down if a user was logged on was still too flaky and unreliable for me to risk running this during working hours.

 

Now we have the current situation where machines get powered up fine for the virus scan, but it has mysteriously stopped running the update task on random machines, whether they are on or off. If on, it just randomly doesn't do the update, sometimes for over 3 days. On machines that are off, it doesn't trigger WOL to wake them up for the update, but DOES for the virus scan.

 

In addition, those machines it has been failing to run the update task on, if I manually run the update it shuts the machine down afterwards, even though they are already on - but not always if a user is logged on. But sometimes even if a user IS logged on, it still shuts down the endpoint.

 

So now we are here. Today I'm just about to upgrade KSC to 10.4.343, and KES to 10.3.0.6294 (and presumably KLNA to 10.4.343).

 

We shall see what, if any, effect that has.

 

Hello,

 

I mentioned "identical versions" because it's better to have agents with the one patch level, for instance patch "B". You have A and B.

Is it acceptable to schedule update task in working hours and tick the item "to launch the task if it was missed" ?

All machines will be updated after launch with no chance to be missed.

Anyway we wait your reply after upgrading to the latest version.

Please do not forget about management plugins.

Thank you.

 

 

 

 

 

Share this post


Link to post
Hello,

 

I mentioned "identical versions" because it's better to have agents with the one patch level, for instance patch "B". You have A and B.

Is it acceptable to schedule update task in working hours and tick the item "to launch the task if it was missed" ?

All machines will be updated after launch with no chance to be missed.

Anyway we wait your reply after upgrading to the latest version.

Please do not forget about management plugins.

Thank you.

 

Hi Dmitry,

 

I appreciate what you are saying, so could you point me in the direction of the information which said patch A must be uninstalled before installing patch B? Clearly I missed that.

 

Is it acceptable to schedule update task during working hours with "launch task if it missed" ticked? No. That does not even work reliably on the laptops we use it on. Sometimes it works, sometimes it doesn't. No way am I going try that on the main estate when it is already proven to be unreliable. Your statement of "All machines will be updated after launch with no chance to be missed" I have found from experience, does not work.

 

I now have KSC upgraded to 10.4.343 (remembering to install the management console plug-ins) and all but 7 endpoints upgraded to KES 10.3.0.6294 with KLNA 10.4.343.

 

Of the 7 not yet upgraded, 3 are laptops which have been out of the country and are not yet back on the network (due this week). One is another laptop not due back on the network until tomorrow. I will upgrade that one then.

 

The remaining three are a problem. Two are desktops and one a laptop. All are XP SP3. They have all managed to upgrade the network agent to 10.4.343, but when it came to KES they all failed. Presumably this is because XP is not supported by 10.3.0.6294, so I guess these are going to have to remain on KES 10.2.5.3201 but with KLNA 10.4.343.

 

The XP machines aside, I've left all the desktop machines which upgraded successfully - bar one - shut down. This is to allow me to get an accurate picture of what happens when tonight's update and virus scan tasks are scheduled to run, though I do need to verify the tasks since during the upgrade it (again) produced a whole raft of "converted" tasks. I may just delete and recreate the tasks anyway, to be sure.

 

The one I left powered up is at the far end of "branch office VPN". This is to verify that Kaspersky will use that as a proxy to wake the other machines on that sub-net up via WOL, as used to and still seems to. Otherwise WOL just doesn't work in that situation.

Edited by george.h

Share this post


Link to post
Hi Dmitry,

 

I appreciate what you are saying, so could you point me in the direction of the information which said patch A must be uninstalled before installing patch B? Clearly I missed that.

 

Is it acceptable to schedule update task during working hours with "launch task if it missed" ticked? No. That does not even work reliably on the laptops we use it on. Sometimes it works, sometimes it doesn't. No way am I going try that on the main estate when it is already proven to be unreliable. Your statement of "All machines will be updated after launch with no chance to be missed" I have found from experience, does not work.

 

I now have KSC upgraded to 10.4.343 (remembering to install the management console plug-ins) and all but 7 endpoints upgraded to KES 10.3.0.6294 with KLNA 10.4.343.

 

Of the 7 not yet upgraded, 3 are laptops which have been out of the country and are not yet back on the network (due this week). One is another laptop not due back on the network until tomorrow. I will upgrade that one then.

 

The remaining three are a problem. Two are desktops and one a laptop. All are XP SP3. They have all managed to upgrade the network agent to 10.4.343, but when it came to KES they all failed. Presumably this is because XP is not supported by 10.3.0.6294, so I guess these are going to have to remain on KES 10.2.5.3201 but with KLNA 10.4.343.

 

The XP machines aside, I've left all the desktop machines which upgraded successfully - bar one - shut down. This is to allow me to get an accurate picture of what happens when tonight's update and virus scan tasks are scheduled to run, though I do need to verify the tasks since during the upgrade it (again) produced a whole raft of "converted" tasks. I may just delete and recreate the tasks anyway, to be sure.

 

The one I left powered up is at the far end of "branch office VPN". This is to verify that Kaspersky will use that as a proxy to wake the other machines on that sub-net up via WOL, as used to and still seems to. Otherwise WOL just doesn't work in that situation.

 

It's a kind of misunderstanding. I thought you have machines with patch A (without B) and you have machines with patch B.

Now I see that all machines were upgraded to patch B.

We wait reply from you tomorrow regarding WOL.

Thank you.

 

Share this post


Link to post
It's a kind of misunderstanding. I thought you have machines with patch A (without B) and you have machines with patch B.

Now I see that all machines were upgraded to patch B.

We wait reply from you tomorrow regarding WOL.

Thank you.

 

Where do I start. Not ONE, not a single one of the machines on the main estate updated. They all ran the 00:15 virus scan, but NONE ran the update. Even though they were all off, approximately half had been left powered on, half powered off.

 

At the far end of the branch office VPN one machine (the one left on) attempted to run the update - and failed with "Failed to receive file". Manually waking up all the machines at the end of the VPN and manually running the update resulted in ALL FOUR failing.

 

So far this has been an utter joke.

Share this post


Link to post
Where do I start. Not ONE, not a single one of the machines on the main estate updated. They all ran the 00:15 virus scan, but NONE ran the update. Even though they were all off, approximately half had been left powered on, half powered off.

 

At the far end of the branch office VPN one machine (the one left on) attempted to run the update - and failed with "Failed to receive file". Manually waking up all the machines at the end of the VPN and manually running the update resulted in ALL FOUR failing.

 

So far this has been an utter joke.

 

Hello!

 

Could you please collect the full GSI Report from one of the problematic machines?

 

Thanks!

Share this post


Link to post
Hello!

 

Could you please collect the full GSI Report from one of the problematic machines?

 

Thanks!

 

For which problem? The problem I was originally recommended to upgrade to the current version to try and fix? Or the raft of problems introduced by the upgrade itself?

 

Share this post


Link to post
Hello!

 

Could you please collect the full GSI Report from one of the problematic machines?

 

Thanks!

 

I have 4, sometimes 5, machines at the far end of a Watchguard BOVPN which (since upgrading) attempt to run the scheduled task but now persistantly fail with "Event type: Error in interaction with Kaspersky Security Center. Result: Failed to receive file". The ONLY thing which has changed is KSC and KES. Nothing about the Watchguard appliances at either end of the BOVPN has changed.

 

I have some laptops which appear OK - apart from one which the user had reported minor issues with Outlook 2016, but after I upgrade to KES 10.3.0.6294 and KLNA 10.4.343 immediately reported 47 unprocessed objects. Shortly before the upgrade it has completed (under KES 10.2.5.301 and KLNA 10.3.407) both an update and full scan. After, it just goes berzerk reporting the same 47+ unprocessed objects every time it starts up. (Now quarantined just in case but now essentially trashed).

 

NONE of my main estate machines now run the scheduled update task, even though they run the scheduled virus scan task ok. If I start it manually, this ALL shutdown afterwards, user logged on or not.

 

So, which problem do you want?

 

Tomorrow I think I'll give ESET a call, as we only have 81 days left on this garbage before the next license renewal is due.

 

Too many none-core bells and whistles while the core features seem to have ever increasing issues.

Edited by george.h

Share this post


Link to post

Hi,

 

Very sorry to hear about that.

I have 4, sometimes 5, machines at the far end of a Watchguard BOVPN which (since upgrading) attempt to run the scheduled task but now persistantly fail with "Event type: Error in interaction with Kaspersky Security Center. Result: Failed to receive file". The ONLY thing which has changed is KSC and KES. Nothing about the Watchguard appliances at either end of the BOVPN has changed.

Please provide us with a screenshot of that error and with a GSI from that host?

I have some laptops which appear OK - apart from one which the user had reported minor issues with Outlook 2016, but after I upgrade to KES 10.3.0.6294 and KLNA 10.4.343 immediately reported 47 unprocessed objects. Shortly before the upgrade it has completed (under KES 10.2.5.301 and KLNA 10.3.407) both an update and full scan. After, it just goes berzerk reporting the same 47+ unprocessed objects every time it starts up. (Now quarantined just in case but now essentially trashed).

If there are no real unprocessed objects at hosts, you can delete a host from the group and from unassigned comuters. Add these hosts back to KSC and for the group to return tham back to normal.

 

NONE of my main estate machines now run the scheduled update task, even though they run the scheduled virus scan task ok. If I start it manually, this ALL shutdown afterwards, user logged on or not.

Please make sure, that option to shutdown PC after task is finished is disabled.

As for schedule task we will need adin server traces at the moment when scheduled task starts(couple of minutes befor start and couple of minutes after).

 

Thank you!

 

Share this post


Link to post
Hi,

 

Very sorry to hear about that.

 

Please provide us with a screenshot of that error and with a GSI from that host?

 

If there are no real unprocessed objects at hosts, you can delete a host from the group and from unassigned comuters. Add these hosts back to KSC and for the group to return tham back to normal.

Please make sure, that option to shutdown PC after task is finished is disabled.

As for schedule task we will need adin server traces at the moment when scheduled task starts(couple of minutes befor start and couple of minutes after).

 

Thank you!

 

Hi Nikolay,

 

1. I'll provide screen shots of the "Error in interaction with..." issue and do the GSI report from one of the affected machines.

 

2. Define "no real unprocessed objects". All of the, (about 47 each time) appeared to be system files, the alerts being generated at boot-up.

 

3. The "Shutdown PC after task" has ALWAYS been off ever since WOL was broken the first time! I used to have to use it to cause PCs which had been woken up via WOL to be shut down again. Then you broke WOL and stopped shutting them down at all. Then you tried fixing it and it shut EVERYTHING down even with the shutdown option unticked (and it has remained unticked ever since). Then you "half" fixed it, ever since which it's been not great, and now its seems even more broken - again.

Edited by george.h

Share this post


Link to post

Could you please provide us with a screenshot of these detections as well(both from local host and from KSC).

 

Thank you!

Share this post


Link to post
Could you please provide us with a screenshot of these detections as well(both from local host and from KSC).

 

Thank you!

 

Hi Niolay,

 

I obtain screenshots etc from the laptop with the "multiple unprocessed objects" issue on Thursday when I am physically in front of the machine. I'm not risking it being on the network without me being there in case it is something more insidious causing the problem.

 

The other issues:

 

All my main estate machines successfully ran their scheduled update task at 23:15 last night. It was a mix of on shutdown machines and all the shutdown machines powered up via WOL, did the update, then shutdown again - I think. This was my initial issue, that several (random machines) were just not running the task. I'll have to monitor this for several days to see if they ALL continue to update reliably.

 

I'll also need to do some additional tests to determine how well WOL is working. Most of the already on PCs did not have users logged in, yet still remained on after the task, which is a departure from the previous behaviour. This I don't have a problem with, providing, if I run the task (using WOL) with users logged in they still don't shutdown. I much prefer it if ONLY machines which have been woken up by WOL for the task are shutdown again afterwards, and machines already on are left on.

 

Best guess for what may have happened is that following the upgrade of KSC, the existing tasks were converted. When I upgraded KES on the endpoints it failed to properly apply the converted tasks. When I re-verified tha WOL based update task for the main estate group, to set the start date and time to 23:15 on 22/05/2017, it was properly applied. However, this doesn't explain why the virus scan task didn't have an issue.

 

BOVPN Update Failure

 

The four machines we have at the far end of a Watchguard BOVPN still did not update. Again all ran the task but failed to receive the update file. I've attached screen shots from both KSC and one of the endpoints showing this.

 

If you want GSI traces I'm going to have to open a Company Account incident to upload them. Every time I do this Kaspersky UK moan at me, even though it is in response to a request on here.

 

Could you please provide us with a screenshot of these detections as well(both from local host and from KSC).

 

Thank you!

 

and this is the second screen shot from the endpoint

 

post-376085-1495530317.jpg

post-376085-1495530388.jpg

Share this post


Link to post
Could you please provide us with a screenshot of these detections as well(both from local host and from KSC).

 

Thank you!

 

Hi Nikolay,

 

I've not been able to get screenshots of the detections yet (not physically with the laptop until Thursday). However the user, against instructions, powered it on again today. As soon as he did I received the following twelve notifications via email (system is a Dell M3800 Precision Workstation Laptop running Windows 7 Pro x64). Which is how I knew he had just switched it on.

 

Event "Object not processed" happened on computer 9D34V32 in the domain COLHOL on 23 May 2017 15:04:43 (GMT+00:00)

Event type: Object not processed

Application\Name: Microsoft® Volume Shadow Copy Service

Application\Path: C:\WINDOWS\System32\

Application\Process ID: 7156

User: NT AUTHORITY\SYSTEM (System user)

Component: Application Privilege Control

Result\Description: Not processed

Object: C:\WINDOWS\System32\VSSVC.exe

Object\Name: VSSVC.exe

Reason: Skipped

 

Event "Object not processed" happened on computer 9D34V32 in the domain COLHOL on 23 May 2017 15:04:50 (GMT+00:00)

Event type: Object not processed

Application\Name: Windows Update

Application\Path: C:\WINDOWS\System32\

Application\Process ID: 6436

User: NT AUTHORITY\SYSTEM (System user)

Component: Application Privilege Control

Result\Description: Not processed

Object: C:\WINDOWS\System32\wuauclt.exe

Object\Name: wuauclt.exe

Reason: Skipped

 

Event "Object not processed" happened on computer 9D34V32 in the domain COLHOL on 23 May 2017 15:04:50 (GMT+00:00)

Event type: Object not processed

Application\Name: Microsoft Malware Protection Signature Update Stub

Application\Path: C:\WINDOWS\temp\{AD8ED448-D6F7-4A74-BC47-951432519830}\

Application\Process ID: 6288

User: NT AUTHORITY\SYSTEM (System user)

Component: Application Privilege Control

Result\Description: Not processed

Object: C:\WINDOWS\Temp\{AD8ED448-D6F7-4A74-BC47-951432519830}\MPSigStub.exe

Object\Name: MPSigStub.exe

Reason: Skipped

 

Event "Object not processed" happened on computer 9D34V32 in the domain COLHOL on 23 May 2017 15:05:28 (GMT+00:00)

Event type: Object not processed

Application\Name: Microsoft® Windows Backup

Application\Path: C:\WINDOWS\System32\

Application\Process ID: 6712

User: NT AUTHORITY\SYSTEM (System user)

Component: Application Privilege Control

Result\Description: Not processed

Object: C:\WINDOWS\System32\sdclt.exe

Object\Name: sdclt.exe

Reason: Skipped

 

Event "Object not processed" happened on computer 9D34V32 in the domain COLHOL on 23 May 2017 15:05:28 (GMT+00:00)

Event type: Object not processed

Application\Name: Windows SQM Consolidator

Application\Path: C:\WINDOWS\System32\

Application\Process ID: 5224

User: NT AUTHORITY\SYSTEM (System user)

Component: Application Privilege Control

Result\Description: Not processed

Object: C:\WINDOWS\System32\wsqmcons.exe

Object\Name: wsqmcons.exe

Reason: Skipped

 

Event "Object not processed" happened on computer 9D34V32 in the domain COLHOL on 23 May 2017 15:05:29 (GMT+00:00)

Event type: Object not processed

Application\Name: Microsoft Windows Diagnostics Tracking Runner

Application\Path: C:\WINDOWS\System32\compattel\

Application\Process ID: 6536

User: NT AUTHORITY\SYSTEM (System user)

Component: Application Privilege Control

Result\Description: Not processed

Object: C:\WINDOWS\System32\CompatTel\diagtrackrunner.exe

Object\Name: diagtrackrunner.exe

Reason: Skipped

 

Event "Object not processed" happened on computer 9D34V32 in the domain COLHOL on 23 May 2017 15:05:29 (GMT+00:00)

Event type: Object not processed

Application\Name: Microsoft Compatibility Telemetry

Application\Path: C:\WINDOWS\System32\

Application\Process ID: 5752

User: NT AUTHORITY\SYSTEM (System user)

Component: Application Privilege Control

Result\Description: Not processed

Object: C:\WINDOWS\System32\CompatTelRunner.exe

Object\Name: CompatTelRunner.exe

Reason: Skipped

 

Event "Object not processed" happened on computer 9D34V32 in the domain COLHOL on 23 May 2017 15:05:30 (GMT+00:00)

Event type: Object not processed

Application\Name: General Telemetry

Application\Path: C:\WINDOWS\System32\

Application\Process ID: 4500

User: NT AUTHORITY\SYSTEM (System user)

Component: Application Privilege Control

Result\Description: Not processed

Object: C:\WINDOWS\System32\generaltel.dll

Object\Name: generaltel.dll

Reason: Skipped

 

Event "Object not processed" happened on computer 9D34V32 in the domain COLHOL on 23 May 2017 15:05:30 (GMT+00:00)

Event type: Object not processed

Application\Name: Device Display Object Function Discovery Provider

Application\Path: C:\WINDOWS\System32\

Application\Process ID: 4072

User: NT AUTHORITY\SYSTEM (System user)

Component: Application Privilege Control

Result\Description: Not processed

Object: C:\WINDOWS\System32\DeviceDisplayObjectProvider.exe

Object\Name: DeviceDisplayObjectProvider.exe

Reason: Skipped

 

Event "Object not processed" happened on computer 9D34V32 in the domain COLHOL on 23 May 2017 15:05:43 (GMT+00:00)

Event type: Object not processed

Application\Name: Dism Host Servicing Process

Application\Path: C:\WINDOWS\temp\65905CD7-086B-45E0-BA8D-9AB8ABAED605\

Application\Process ID: 4356

User: NT AUTHORITY\SYSTEM (System user)

Component: Application Privilege Control

Result\Description: Not processed

Object: C:\WINDOWS\Temp\65905CD7-086B-45E0-BA8D-9AB8ABAED605\DismHost.exe

Object\Name: DismHost.exe

Reason: Skipped

 

Event "Object not processed" happened on computer 9D34V32 in the domain COLHOL on 23 May 2017 15:10:52 (GMT+00:00)

Event type: Object not processed

Application\Name: Office Subscription Licensing Heartbeat

Application\Path: C:\Program Files (x86)\microsoft office\root\vfs\programfilescommonx86\microsoft shared\office16\

Application\Process ID: 5440

User: NT AUTHORITY\SYSTEM (System user)

Component: Application Privilege Control

Result\Description: Not processed

Object: C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe

Object\Name: OLicenseHeartbeat.exe

Reason: Skipped

 

Event "Object not processed" happened on computer 9D34V32 in the domain COLHOL on 23 May 2017 15:11:02 (GMT+00:00)

Event type: Object not processed

Application\Name: Microsoft Office Click-to-Run Client

Application\Path: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\

Application\Process ID: 2480

User: NT AUTHORITY\SYSTEM (System user)

Component: Application Privilege Control

Result\Description: Not processed

Object: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe

Object\Name: OfficeC2RClient.exe

Reason: Skipped

 

Regards

George

Edited by george.h

Share this post


Link to post
Hi,

 

Very sorry to hear about that.

 

Please provide us with a screenshot of that error and with a GSI from that host?

 

 

Thank you!

 

Hi Nikolay,

 

I've created trace files for one of the machines giving the "Error in interaction with Kaspersky Security Center. Failed to recevie file", along with GSI report from the host.

 

Uploaded to Company Account under INC000007828983

 

Regards

George

 

Share this post


Link to post
Hi Nikolay,

 

I've created trace files for one of the machines giving the "Error in interaction with Kaspersky Security Center. Failed to recevie file", along with GSI report from the host.

 

Uploaded to Company Account under INC000007828983

 

Regards

George

 

Please expect a reply withing your CompanyAccount incident soon.

 

Thank you.

Share this post


Link to post
Please expect a reply withing your CompanyAccount incident soon.

 

Thank you.

 

Thanks Kirill.

 

I did notice that in the trace logs it was showing "error 50" beside the "Error in interaction with Kaspsersky Security Center".

 

On the other issues - the laptop with the multiple unprocessed objects seems to have "settled down". At least it is now producing far fewer notifications. Best guess is that when I upgraded it to KES 10.3.0.6294/KLNA 10.4.343 it had to complete a full scan following the upgrade it was chucking out all sorts of spurious notifications. Doesn't fill me with confidence without knowing why - especially as it was the only machine to do it.

 

Any thought on that?

 

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.