Kaseya Community

VSA 9.2.0.10 KAV user stations not updating defs

This question is answered

Ever since we went to VSA 9.2.0.10, we've had an issue across all organizations and profiles where the user stations are not updating threat defs.  In looking at my list of roughly 200 machines, only about 25 of them have today's definitions.  All the other machines are between 1-7 days old. All profiles had "Automatic" set, but when I found that to not be working, I changed them to scheduled, every 8 hours.  That's still not resolving the issue and 60% of our machines are in the 3-7 day old range.

If I manually select machines and [Update], then it seems this does update all the selected systems (after about a half hour and the VSA display is refreshed).

But there's definitely something not working with AV updates.  Most of our clients are now at 10.2.4.674, but some are still at 10.2.1.23.  Neither updates more reliably than the other.

Has anyone seen this behavior?



removing sticky
[edited by: Nicolas Ponce at 11:59 AM (GMT -7) on May 12, 2016]
Verified Answer
  • As many of you have reported, there are issues with the KAV module which the last set of patches have not fully resolved across all use-cases.   The upgrade to the latest underlying engine (in mid-January) has caused problems in some environments with certain OS/Version combinations.   Specifically, there are four specific issues we are actively working on a fix for:

    1. KAV Virus Definition Updates on the endpoint are occurring, but are not reflected in the Kaseya UI.  

    2. A profile is set, but does not properly complete, resulting in the endpoint not updating its KAV Virus Definitions.

    3. A KAV component fails, but that status is not reflected in the VSA UI.

    4. A KAV profile incorrectly reports that it is out of compliance.

    In addition to fixing these specific issues, the next patch will include several underlying architectural changes to make the KAV endpoint to VSA  communication and messaging more robust and efficient which will improve the overall reliability and performance of the module.

    This patch is going through our new QA process which has been implemented by our CTO and we expect to release it as 9.2.0.16 by the end of this week (March 25th)

    We understand the criticality of these issues to our customers and we are working to ensure the quality of the 9.2.0.16 patch as quickly as possible.  We apologize for problems you have experienced and we are committed to bringing these issues to resolution.

All Replies
  •  

    Have you looked at these machines on a local level to ensure it is not an issue pertaining to the Kaspersky product itself?  On my 9.2 test server - I noticed one machine on the latest 10.2.4.674 out of date; I logged into the endpoint to notice:

    If you see the above - the issue lies on the Kaspersky updater component and requires attention.  This can be scripted however, requires knowledge of the password set on the UI.

  • Yes, I have two tickets opened for KAV 9.2.0.10 issues.  One is for the definition updates and the other is for upgraded clients showing as KAV 10.1.249 on the system but indicating 10.2.4.674 within the VSA.

  • Yes - we are experiencing similar problems.

    It appears the new version has created a file share called 'kavupdater' - it's sharing out the c:\kworking\kav\updater folder on the server housing the LAN cache, and it looks like the endpoints are attempting to reference this share rather than the original LAN cache. The share is read-only, so presumably the server itself needs to provide the updates.. which begs the question - what happens if there is no KAV on that server?

    I've just ran the update process on the server housing the LAN cache and this does look to have updated the files in the c:\kworking\kav\updater\index and c:\kworking\kav\updater\autopatches subfolders.

    So - Kaseya - what gives? Have I missed something? What's with the new 'kavupdater' file share on the server's C: drive under kworking\kav? What happened to using the LAN cache?

  • Yeah, we're seeing the same thing you're showing above; update status shows "Stopped" and if it's more than 3-4 days since the last update it will show the "extremely out of date" messaging.  

    Manually clicking "Update" within the KAV Client above properly updates the client, and in MOST cases, selecting the client in the AntiVirus section of the VSA and launching an update appears to properly update the client as well.  But it's a pain, remembering each day to go in there, select every client, and manually update when it should be fully automated.  The problem is that we custom-set the passwords differently for each organization---we don't re-use across all orgs, so if it requires the KAV Uninstall password no one single script is going to be able to update all organizations at once.

  • FWIW, I'm also experiencing the same problem.  I'm on hosted Kaseya, and at least half my machines stopped automatically updating defs on January 26th.  Forcing an update from the console works, as does manually running the update on the endpoint.  They just refuse to auto update.  I also opened a ticket with support.

  • This is a known issue and I reported it with an open ticket going back 7 months. I've been told that Engineering is completing the packaging of this fix for 9.2. It should be released very, very soon.

    You may also notice that after you manually do Get Status, those same endpoints now show the Profile is out of Compliance after the updates are in sync. I reported that today and Support watched my Database as the records updated the def status and then marked a different record flag as out of compliance. I will know more tomorrow regarding this issue and will advise on this thread

  • New issue after you do a get status.

    The Get Status update is now setting the flag in the database that the machine's Profile is out of Compliance.  While in the database we watched as machines after a forced get status had the definition and client dates match, and the out of date flag was updated, the compliance flag was now set. Support was on the phone with me watching while this occurred. Antonio took several screen shots to document the action. My belief this is bad code in the script in the database causing these flags to be truly out of sync.

  • same issue here. what's worse is this was happening in 9.1 and got patched a month or so ago. i upgraded to 9.2 for the win10 support and it starts happening again. support says it's known and should be fixed in the next patch release for 9.2.

    i should have known better than to assume it would be fixed in 9.2 since it already was in 9.1

  • We've been duped again. Was just told that early Feb is now maybe 3+ weeks from now. Should be in the next patch release with about 50+ other fixes. So much for fixing an 8 month problem that has now morphed into another KAV issue and will be close to 9 months waiting. This is so infuriating! I thought things were supposed to change... Sorry, but nothing has changed, it's just more and more of the same!

  • I found that disabling the System Watcher component sends the CPU & RAM usage back down to normal levels.

  • Apparently this didn't make the cut for 9.2.0.11. I just received a response that it is slated for 9.2.0.12 with over 70 fixes to the VSA which is making it take longer. Wonderful, I get to look incompetent to my clients for another 2 weeks.

  • Procedure KAV - Force signature update.xml

    This is getting ridiculous!

    We've found running 'avp.com update' from a 'execute shell command' step wasn't working to force endpoints to update, but avp.com update works OK using the 'execute file' step. I've attached a script we're running daily to work around this mess, hope this helps.

       

  • Any update on this?  I am finding that a majority of the systems are actually updating but not reporting back the current database date.  I have a handful of systems still indicating "Extremely out of date" that I am not able to update.  Attempting a "repair" on them to see if it is simply a configuration issue from the installation.  



    further troubleshooting
    [edited by: Tim Varvais at 10:35 AM (GMT -8) on Feb 16, 2016]
  • The Script works but still does not update the manage services interface from what I can see so far.  Also if you have the new version of the Anti-Virus installed the fold path has changed so the script needs to check for SP1 also.  We are new to using these tools and was wondering why some Reported Product Name show up as Kaspersky Endpoint Security 10 for Windows and others Kaseya Antivirus?  Wondering if that could be some of the troubles that we have with updates and profiles not working correctly.

    I see a new version 9.2.0.12 but no mention of KAV updates.



    Just added more to post.
    [edited by: asuman1179 at 8:14 AM (GMT -8) on Feb 24, 2016]
  • Still having all the same issues with 9.2.0.12.  No change.  I have 80 systems this morning reporting definitions out of date (at least 2 days old).  I'm spending more time managing the RMM tool than the desktops it's supposed to manage.