Jump to content
george.h

WOL Unreliable with KES 10.2.5.3201 [In progress] [INC000007828983]

Recommended Posts

Please expect a reply withing your CompanyAccount incident soon.

 

Thank you.

 

I should point out that I'm using the Company Account purely as a way of uploading the requested information. I'm not looking for support via that route.

 

Share this post


Link to post
Please expect a reply withing your CompanyAccount incident soon.

 

Thank you.

 

I think I now have a handle on the spurious multiple "unprocessed objects" issue with the Dell Precision M3800 laptop.

 

Looking though the end points logs it appears that for some reason it took KES a while to sort through and verify the authenticity and digital signatures of a number of system files. As it was able to verify each one, it elevated it's Application Control privilege into the "Trusted Applications" group. Once that had happened, each system file stopped causing an "unprocessed object" alert.

 

The one remaining one is an update for NVIDIA:

 

Event "Object not processed" happened on computer 9D34V32 in the domain COLHOL on 25 May 2017 13:00:49 (GMT+00:00)

Event type: Object not processed

Application\Name: Unknown

User: NT AUTHORITY\SYSTEM (System user)

Component: Application Privilege Control

Result\Description: Not processed

Object: C:\ProgramData\NVIDIA\Updatus\Packages000a139\CoProc update.22132285.exe

Object\Name: CoProc update.22132285.exe

Reason: Skipped

 

So once that gets verified and elevated (manually by me perhaps), the Kaspersky issues for this laptop should be over.

Edited by george.h

Share this post


Link to post

Hi,

 

Could you please collect KES traces while it detects "unprocessed objects"?

Please use any file sharing resource to upload traces and provide us with a link.

 

Thank you!

Share this post


Link to post
Hi,

 

Could you please collect KES traces while it detects "unprocessed objects"?

Please use any file sharing resource to upload traces and provide us with a link.

 

Thank you!

 

Hi Nikolay,

 

These are not "unprocessed objects" the are "not processed - skipped". It's quite hard to find any information of how to deal with them.

 

Share this post


Link to post
Hi Nikolay,

 

These are not "unprocessed objects" the are "not processed - skipped". It's quite hard to find any information of how to deal with them.

Hi,

 

Could you please collect KES traces in moment of your problem reproduction?

 

Thank you!

Share this post


Link to post
Please expect a reply withing your CompanyAccount incident soon.

 

Thank you.

Any news on why none of the machines at the far end of our WatchGuard BOVPN can no longer receive updates from KSC since upgrading toKES/KSC to SP2? I provided traces, GSI reports etc on the 24th May.

 

This is starting to become a real pain.

Edited by george.h

Share this post


Link to post
Any news on why none of the machines at the far end of our WatchGuard BOVPN can no longer receive updates from KSC since upgrading toKES/KSC to SP2? I provided traces, GSI reports etc on the 24th May.

 

This is starting to become a real pain.

 

Hi!

 

We informed the respective persons about your incident.

 

Please wait for the answer from the incident soon.

 

Thanks!

Share this post


Link to post
Hi,

 

Could you please collect KES traces in moment of your problem reproduction?

 

Thank you!

 

Hi Konstantin,

 

I've created traces and a GSI report on the affected Dell Precision M3800 laptop. However, before submitting those I thought, as this is the ONLY laptop to have exhibited this issue, it would be worth trying one last thing. So, I've used kavremvr v1.0.1194 (the newest I could find) to competely uninstall KES 10 SP2 (10.3.0.6294), then used KSC to remotely uninstall KLNA, and completely reinstall it from scratch.

 

So far I've not had a repeat of any of the "object not processed" notifications. However, the acid test will be when it is first powered on tomorrow morning. After updating it's databases and doing a full scan I've left it shut down. Being a laptop isn't woken up via WOL for overnight updates and scans. I did get this notification during the re-installation which I've not seen before, but then all the other endpoints did not have KES and KLNA completely removed before upgrading:

 

Event "Suspicious network activity detected" happened on computer CHL-FS-01 in the domain COLHOL on 05 June 2017 20:06:33 (GMT+00:00)

Event type: Suspicious network activity detected

Application\Name: Kaspersky Endpoint Security 10 for Windows

Application\Path: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\

User: ****\******* (Active user)

Component: Protection

Object: 9D34V32.colhol.com

Object\Name: 9D34V32.colhol.com

Reason: The number of login attempts by the user CHL-FS-01\KL-AK-3B52CF9DDC87C0 exceeded 30 for 2 minutes during the period from 05/06/2017 19:51:32 to 05/06/2017 20:06:32.

 

Is this normal (user name blanked out by me)?

 

Share this post


Link to post
Hi Konstantin,

 

I've created traces and a GSI report on the affected Dell Precision M3800 laptop. However, before submitting those I thought, as this is the ONLY laptop to have exhibited this issue, it would be worth trying one last thing. So, I've used kavremvr v1.0.1194 (the newest I could find) to competely uninstall KES 10 SP2 (10.3.0.6294), then used KSC to remotely uninstall KLNA, and completely reinstall it from scratch.

 

So far I've not had a repeat of any of the "object not processed" notifications. However, the acid test will be when it is first powered on tomorrow morning. After updating it's databases and doing a full scan I've left it shut down. Being a laptop isn't woken up via WOL for overnight updates and scans. I did get this notification during the re-installation which I've not seen before, but then all the other endpoints did not have KES and KLNA completely removed before upgrading:

 

Event "Suspicious network activity detected" happened on computer CHL-FS-01 in the domain COLHOL on 05 June 2017 20:06:33 (GMT+00:00)

Event type: Suspicious network activity detected

Application\Name: Kaspersky Endpoint Security 10 for Windows

Application\Path: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\

User: ****\******* (Active user)

Component: Protection

Object: 9D34V32.colhol.com

Object\Name: 9D34V32.colhol.com

Reason: The number of login attempts by the user CHL-FS-01\KL-AK-3B52CF9DDC87C0 exceeded 30 for 2 minutes during the period from 05/06/2017 19:51:32 to 05/06/2017 20:06:32.

 

Is this normal (user name blanked out by me)?

Hi,

 

Please check how many KL-AK-**** users have this computer?

 

Thanl you!

Share this post


Link to post
Hi,

 

Please check how many KL-AK-**** users have this computer?

 

Thanl you!

 

I don't understand what you mean. This is this (single) local user account created by KSC on the server (CHL-FS-01 not a DC) upon which KSC is installed, and under which the KSC Administration Server runs.

 

On the other hand, ripping out KES 10.3.0.6294 using kasrmvr, then ripping out KLNA 10.4.343 and re-installing the whole lot from scratch, does appear to

 

Share this post


Link to post
Hi!

 

We informed the respective persons about your incident.

 

Please wait for the answer from the incident soon.

 

Thanks!

 

Hi Ivan,

 

This is now becoming critical. The four machines at the far end of the Watchguard BOVPN have ONLY been receiving updates since being upgraded to KES 10.3.0.6294/ KLNA 10.4.343 (and KSC being updated to 10.4.434), by me adding in the Kaspersky Servers as an update source in addition to our Admin Server. Now TWO of the machines are persistently failing to update even from those.

 

Instead they log a multitude of events such of the type below (which are only about a quarter of them) before failing all together:

 

Event type: Network update error

Result: Error downloading update files

Object: http://dnl-09.geo.kaspersky.com/

Object\Path: http://dnl-09.geo.kaspersky.com/

User: NT AUTHORITY\SYSTEM (System user)

Release date: 08/06/2017 9:33:00 AM

 

Event type: Network update error

Result: Error downloading update files

Object: http://dnl-06.geo.kaspersky.com/

Object\Path: http://dnl-06.geo.kaspersky.com/

User: NT AUTHORITY\SYSTEM (System user)

Release date: 08/06/2017 9:33:00 AM

 

Event type: Network update error

Result: Error downloading update files

Object: http://dnl-16.geo.kaspersky.com/

Object\Path: http://dnl-16.geo.kaspersky.com/

User: NT AUTHORITY\SYSTEM (System user)

Release date: 08/06/2017 9:33:00 AM

 

Event type: Network update error

Result: Error downloading update files

Object: http://dnl-08.geo.kaspersky.com/

Object\Path: http://dnl-08.geo.kaspersky.com/

User: NT AUTHORITY\SYSTEM (System user)

Release date: 08/06/2017 9:33:00 AM

 

Event type: Network update error

Result: Error downloading update files

Object: http://dnl-19.geo.kaspersky.com/

Object\Path: http://dnl-19.geo.kaspersky.com/

User: NT AUTHORITY\SYSTEM (System user)

Release date: 08/06/2017 9:33:00 AM

 

Event type: Network update error

Result: Error downloading update files

Object: http://dnl-01.geo.kaspersky.com/

Object\Path: http://dnl-01.geo.kaspersky.com/

User: NT AUTHORITY\SYSTEM (System user)

Release date: 08/06/2017 9:33:00 AM

 

Event type: Network update error

Result: Error downloading update files

Object: http://dnl-12.geo.kaspersky.com/

Object\Path: http://dnl-12.geo.kaspersky.com/

User: NT AUTHORITY\SYSTEM (System user)

Release date: 08/06/2017 9:33:00 AM

 

Event type: Network update error

Result: Error downloading update files

Object: http://dnl-14.geo.kaspersky.com/

Object\Path: http://dnl-14.geo.kaspersky.com/

User: NT AUTHORITY\SYSTEM (System user)

Release date: 08/06/2017 9:33:00 AM

 

Event type: Network update error

Result: Error downloading update files

Object: http://dnl-07.geo.kaspersky.com/

Object\Path: http://dnl-07.geo.kaspersky.com/

User: NT AUTHORITY\SYSTEM (System user)

Release date: 08/06/2017 9:33:00 AM

 

Regards

George

Edited by george.h

Share this post


Link to post
Hi!

 

We informed the respective persons about your incident.

 

Please wait for the answer from the incident soon.

 

Thanks!

 

Ok

 

I've managed to get the four machines at the far end of our Watchguard BOVPN updating again, at least from Kaspersky's servers, by tweaking of the HTTP Proxy rules on the Watchguard T10 firewall on that site. It has more restrictive policy for HTTP responses where the body contents included Windows EXE/COM. By easing that slight (now set for AVScan as per the policy on our main M200 firewall) they are now receiving updates again, but still not as they should be.

 

I added the Kaspersky Servers as an update source to the update task as a stop-gap measure, when I found that updating from our Kaspersky Admin server suddenly stopped working across the BOPVN after upgrading to SP2. That part STILL doesn't work, when it had been working fine prior to upgrading to SP2. The stop-gap measure had been working for about a week until that suddenly started to fail as well - yet no changes (until now) had been made to our firewalls.

 

Clearly something has changed about the way KES/KLNA interact with the Admin Server (and Kaspersky servers) during the update process, but what? I still need that to work as allowing multiple machines on our internal network to obtain Kaspersky updates NOT via out Admin Server is not a solution.

Edited by george.h

Share this post


Link to post
Thanks Kirill.

 

I did notice that in the trace logs it was showing "error 50" beside the "Error in interaction with Kaspsersky Security Center".

 

On the other issues - the laptop with the multiple unprocessed objects seems to have "settled down". At least it is now producing far fewer notifications. Best guess is that when I upgraded it to KES 10.3.0.6294/KLNA 10.4.343 it had to complete a full scan following the upgrade it was chucking out all sorts of spurious notifications. Doesn't fill me with confidence without knowing why - especially as it was the only machine to do it.

 

Any thought on that?

 

Please note that you are describing unrelated multiple issues all spread out in one large topic, across multiple messages, which appears to lead to more confusion with every post, instead of clarity. While some of the issues may appear trivial and may be solved on the forum alone, others require the collected data to be analyzed by developers. This is why CompanyAccount has been recommended as a means to deal with the issues, as it allows collecting information and providing suggestions on a per-issue basis.

The same goes for the forum as well. If you need all of the problems to be processed in parallel and avoid pieces of information missing out, please either submit an incident or create an individual topic for each. Please specify which is the task at hand to be handled in this topic and summarize the others separately if possible.

 

Thank you.

Share this post


Link to post
Please note that you are describing unrelated multiple issues all spread out in one large topic, across multiple messages, which appears to lead to more confusion with every post, instead of clarity. While some of the issues may appear trivial and may be solved on the forum alone, others require the collected data to be analyzed by developers. This is why CompanyAccount has been recommended as a means to deal with the issues, as it allows collecting information and providing suggestions on a per-issue basis.

The same goes for the forum as well. If you need all of the problems to be processed in parallel and avoid pieces of information missing out, please either submit an incident or create an individual topic for each. Please specify which is the task at hand to be handled in this topic and summarize the others separately if possible.

 

Thank you.

 

Hi Kirill,

 

"Unrelated" is a matter of opinion and perspective.

 

The key issue of this topic is "WOL unreliable" with random machines failing to be woken up for updates via WOL, or failing to run the task if on, and not shutting down afterwards reliably.

 

The advice I was given was "upgrade to KES/KSC SP2" ( no version number given, which WAS confusing ). However, after establishing clearly WHICH version SP2 referred to ( KES 10.3.0.629 and KLNA/KSC 10.4.343 ) I followed it to have the WOL issue progressed.

 

All the other issues are as a DIRECT RESULT of following that advice. If you wish me to split them off, fine. However, in my view they are related, related to following the advice from Kaspersky which directly caused them, namely:

 

1. One laptop repeatedly reporting multiple (initially 34 each time) "Object not processed" events - no answers provided. Fiixed by me by ripping out KES 10.3.0.629 and KLNA 10.4.343 complete using kavremvr and re-installing.

 

2. All four machines at the far end of a Watchguard BOVPN suddenly failing to update ever single time (after SP2 upgrade) from the Kaspersky Admin server. Every time failing with "Error in interaction with Kaspersky Security Center - failed to receive file" - actually reporting error 50. No answers provided to date. Temporary work-around of configuring update task to use Kaspersky Servers as an additional update source worked for several days before they ALSO suddenly started failing. Fixed only by modification of firewall rules, rules which had been working fine.

 

And I STILL do not know if this even fixes the original issue. All I can say is WOL now behaves differently, yet again, to how it used to.

 

Regards

George

 

Share this post


Link to post

 

This topic can be closed off. I will create two new topics to address the existing issues. I'll close off INC000007828983 as that was purely a mechanism to uploaded traces.

 

Much appreciated

George

 

Share this post


Link to post
This topic can be closed off. I will create two new topics to address the existing issues. I'll close off INC000007828983 as that was purely a mechanism to uploaded traces.

 

Much appreciated

George

 

Thank you.

Please expect our engineers to respond to the issues one per topic as usual.

However, please note that forum support capabilities are limited compared to those in CompanyAccount; in particular, certain technical details about some funcionality operation principles might only be disclosed on a by-request basis to the customer and not publicly. Most localized, reproduceable and traceable issues can be escalated directly from the forum, though.

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.