Home
»
Discussion Forums
»
Endpoint Security (KES) - VSA
»
KES detects threats, but all result in CLEAN FAILED?
Subscribe via RSS
Share this
Similar Posts
clear/reset detected threats?
by
LegacyPoster
on
Aug 14, 2009
KAV Threat Detections
by
belder
on
Jun 24, 2011
Not Answered
KAV: An Anti-Virus threat was detected
by
Jon Bälter
on
Mar 11, 2013
More info & description about threats detected
by
LegacyPoster
on
Jul 3, 2009
KAV Alert on "Active Threat Detection"
by
Tim Varvais
on
Jun 6, 2017
View More
Details
18
Replies
0
Subscribers
Posted
over 13 years ago
Endpoint Security (KES) - VSA
KES detects threats, but all result in CLEAN FAILED?
Posted by
LegacyPoster
on
Mar 21, 2008 5:31 AM
I'm a newbie to VSA/KES as of this week, so bear with my beginner questions
Using latest version of VSA/KES, a client's machine shows 15 threats. But it seems as though KES/AVG is not fixing the problem, as the View Threats screen shows CLEAN FAILED under the Action/Status column... What would be the next logical step to clean these infections?
I am surprised that the Threat Name doesn't get displayed as a hyperlink to a database of virus/spyware information - like many security products do. The database might have specific instructions on how to manually remove the threat, payload etc....
Another oddity is that when I looked at View Logs, I saw FULL SCANs listed several times every day over the last week or two. Yet I never scheduled any full scans in KES. Tech support confirmed this was a bug that was fixed as of 3/17. Indeed, no more Full Scans have occurred after the morning of 3/18, so that's good. My first client was annoyed that the Full Scans were running every morning and bringing his machines to a crawl. My own workstation did it every am too. I'm glad they fixed that bug
Back to - what do I do next to clean this machine? Support didn't offer much advice other than I could select the machine and choose an action at the top of the View Threats screen (e.g. Restore As-Is, Attempt to Clean & Restore etc.). But if the unsolicited Full Scan reported CLEAN FAILED, what good will it do to choose one of these actions?
I hope KES is more sophisticated than it looks? Hopefully it's my lack of understanding as a newbie...
Thanks!
Legacy Forum Name: KES detects threats, but all result in CLEAN FAILED?,
Legacy Posted By Username: ReedMikel
You have posted to a forum that requires a moderator to approve posts before they are publicly available.
Posted by
LegacyPoster
on
Mar 23, 2008 11:12 PM
we are having same problem -- talked to tech support over a week ago, they were going to call me back, but never did.
Legacy Forum Name: KES,
Legacy Posted By Username: gcappas
You have posted to a forum that requires a moderator to approve posts before they are publicly available.
Posted by
LegacyPoster
on
Mar 24, 2008 12:13 AM
We also have the threat clean failed too often for our liking.
To fix the FULL scan issue is easy. Go to the Security Tab/Define Profile. For each profile that you use, Disable the "Run System Scan upon KES Start Up" option. On the upgrade to Kaseya 2008 this option was added, and default to enabled.
What I don't think Kaseya realizes with this option is that the KES services restart several times per day due to updates. This causes the computers to be re-scanned each time. I have found that even on fast computers a full scan takes about 1-2 hours.
Legacy Forum Name: KES,
Legacy Posted By Username: far182
You have posted to a forum that requires a moderator to approve posts before they are publicly available.
Posted by
LegacyPoster
on
Mar 24, 2008 9:04 AM
On the machine which is showing you the threats, you should run the AVG Control Console and take a look at the logs to see what the threats are.
We are just demoing KES but from what I've seen tracking cookies get counted as threats but not logged as threats. Because of the high number of tracking cookies it is always catching this makes sense.
Anyone able to confirm this?
Legacy Forum Name: KES,
Legacy Posted By Username: doug.jenkins@ispire.ca
You have posted to a forum that requires a moderator to approve posts before they are publicly available.
Posted by
LegacyPoster
on
Mar 25, 2008 9:03 PM
We discovered the new "Run System Scan on KES Startup" option by trial and error. By disabling this on our Managed Services profile, we were able to resolve a lot of the complaints reported by users.
The bigger issue we are having though is that KES does not handle any of the threats that it finds. It will detect a threat, but will not clean it or delete it. This is true with almost all threats that are detected. We are able to purge the quarantine list, but then the threats return with the next scan.
We've been forced to use other anti-virus applications to clean the computers. In some cases, we've installed AVG locally onto a customer network since KES is not cleaning the problems.
Also, with the customers that have AVG installed locally (not via KES), they are showing up in the security tab as having KES installed. We are not be charged for a license though. Is this a software bug, or a feature? Should we be able to manage a customer's local installation of AVG via Kaseya? If so, it would be a nice feature, but it doesn't appear to work.
Legacy Forum Name: KES,
Legacy Posted By Username: Netconex
You have posted to a forum that requires a moderator to approve posts before they are publicly available.
Posted by
LegacyPoster
on
Mar 25, 2008 10:43 PM
As a new user (1 week), I must say how disappointed I am with KES. I was hoping that I had found an excellent Antivirus/antispyware solution that integrated into what looks like a very powerful MSP tool. But It sure seems kaseya has not done their homework with AVG. I think they do not know all the nuances of AVG, the settings it offers etc.
The fact that others are seeing all, or lots, of CLEAN FAILED results is not encouraging
I hope I find the main Kaseya product to be better than KES? Though someone at Kaseya told me KES is only 6 months old, so maybe they can mature it in the next few months? Otherwise, what good is it if it simply reports threats?
Anybody have a feel for why it fails to clean/disinfect so often? Is AVG that poor of a product, or is it more of a problem in how KES integrated it?
My first client has a machine with 15 threats, none of which were fixed. I think I am going to image his hard drive, FTP it to myself, and load it on a test machine (hopefully I can get hold of an identical Dell PC). That way I could test out other AVAS solutions and see which one really does the job best... I wonder if it's possible to restore the infected image on to a virtual machine - rather than have to restore to identical hardware?
Legacy Forum Name: KES,
Legacy Posted By Username: ReedMikel
You have posted to a forum that requires a moderator to approve posts before they are publicly available.
Posted by
LegacyPoster
on
Mar 28, 2008 11:20 PM
Can we get a respone here from Kaseya tech support -- 90% of my threat fail to clear or delete as well
Legacy Forum Name: KES,
Legacy Posted By Username: gcappas
You have posted to a forum that requires a moderator to approve posts before they are publicly available.
Posted by
LegacyPoster
on
Oct 14, 2008 8:58 AM
Maybe this is why Zenith's switching to BitDefender.
Legacy Forum Name: KES,
Legacy Posted By Username: j.lee@carceron.net
You have posted to a forum that requires a moderator to approve posts before they are publicly available.
Posted by
LegacyPoster
on
Oct 14, 2008 4:09 PM
I'm pretty new to KES, so apologies if I'm wrong here - please do put me straight. But it's my understanding (and the same is true of standalone AVG) that the 'clean failed' message is pretty much to be expected in most cases where you have selected the 'disinfect' option.
What action types have you configured? If you have selected the 'disinfect' option, you're going to see a lot of clean failed messages - after all, there aren't many virus infections that leave cleanable files these days. It's what happens after clean failed that should matter - the file should then be quarantined or deleted. If one of those actions is taken subsequently and successfully, it shouldn't show in reports as a 'clean failed'.
Lee
Legacy Forum Name: KES,
Legacy Posted By Username: leeevans
You have posted to a forum that requires a moderator to approve posts before they are publicly available.
Posted by
LegacyPoster
on
Oct 14, 2008 9:57 PM
In my case, I believe many of the CLEAN FAILED situations were the result of registry entries which I guess cannot be "cleaned" (ie disinfected). Registry stuff probably has to be deleted. I later changed my KES profiles to also have the Delete box checked (under Resident Protect->Action). Presumably now any registry threats are deleted, so I no longer see the Clean Failed statuses...
Legacy Forum Name: KES,
Legacy Posted By Username: ReedMikel
You have posted to a forum that requires a moderator to approve posts before they are publicly available.
Posted by
LegacyPoster
on
Oct 15, 2008 12:21 PM
So...a few comments
Clean failed = KES / AVG attempting to extract the virus from the file and not being successful. This is typically due to the entire file being considered malware. We marked it as a "clean failed", and then happily moved the PUP to the vault. In reality, all was well on the machine. (I can't tell you how many tickets I've responded to with this scenairo)
In KES 2.0 (the new name for KES 1.5), we split up the threats into a virus vault (those things which have been dealt with) and the current threats. In order to get to the virus vault, we
1. Attempt to clean the file (as described above). The original is copied to the vault.
2. Attempt to just move the file to the vault.
3. Attempt to delete the file (without moving)
All of these operations are considered "heal"-ing operations. The computer is left in an non-infected state.
If all of these fail, then you'll see the infected file sitting on the drive and the admin UI will show the file as a current threat.
Jeff
Legacy Forum Name: KES,
Legacy Posted By Username: Jeff.Keyes
You have posted to a forum that requires a moderator to approve posts before they are publicly available.
Posted by
LegacyPoster
on
Oct 16, 2008 2:05 AM
So how about registry entries that are associated (created by) malware? Registry entries can't be "cleaned", right? I imagine the only thing that can be done with them is to delete them from the registry? And should that fail (e.g. registry permissions insufficient), then I guess one could say "clean failed"?
Legacy Forum Name: KES,
Legacy Posted By Username: ReedMikel
You have posted to a forum that requires a moderator to approve posts before they are publicly available.
Posted by
LegacyPoster
on
Oct 16, 2008 2:08 AM
Registry entries can be deleted and/or reset, and it's normally done during removal.
Detection is often prior to the malware actually running, so it shouldn't have had any time to make registry changes. However, in the event that it's a prior infection, then with new signatures, the removal process should include both file removal and registry cleanup.
A "Clean failed" would be if the entire package was malware, hence there really isn't anything to remove... Or, there wasn't anything left once the bad part was removed.
Legacy Forum Name: KES,
Legacy Posted By Username: Lmhansen
You have posted to a forum that requires a moderator to approve posts before they are publicly available.
Posted by
LegacyPoster
on
Oct 16, 2008 7:26 AM
Support had told me that if the KES profile did not have [] Delete checked (under Resident Protect and somewhere else I think), then malware-related registry entries would never get deleted - and result in "Clean Failed". But I've never really had that confirmed by Jeff...
Legacy Forum Name: KES,
Legacy Posted By Username: ReedMikel
You have posted to a forum that requires a moderator to approve posts before they are publicly available.
Posted by
LegacyPoster
on
Oct 16, 2008 1:26 PM
How is KES allowing malware to modify a "protected" machine's registry? Who's slacking?
Legacy Forum Name: KES,
Legacy Posted By Username: j.lee@carceron.net
You have posted to a forum that requires a moderator to approve posts before they are publicly available.
>