Kaseya Community

KES detects threats, but all result in CLEAN FAILED?

  • I'm a newbie to VSA/KES as of this week, so bear with my beginner questions Smile

    Using latest version of VSA/KES, a client's machine shows 15 threats. But it seems as though KES/AVG is not fixing the problem, as the View Threats screen shows CLEAN FAILED under the Action/Status column... What would be the next logical step to clean these infections?

    I am surprised that the Threat Name doesn't get displayed as a hyperlink to a database of virus/spyware information - like many security products do. The database might have specific instructions on how to manually remove the threat, payload etc....

    Another oddity is that when I looked at View Logs, I saw FULL SCANs listed several times every day over the last week or two. Yet I never scheduled any full scans in KES. Tech support confirmed this was a bug that was fixed as of 3/17. Indeed, no more Full Scans have occurred after the morning of 3/18, so that's good. My first client was annoyed that the Full Scans were running every morning and bringing his machines to a crawl. My own workstation did it every am too. I'm glad they fixed that bug Smile

    Back to - what do I do next to clean this machine? Support didn't offer much advice other than I could select the machine and choose an action at the top of the View Threats screen (e.g. Restore As-Is, Attempt to Clean & Restore etc.). But if the unsolicited Full Scan reported CLEAN FAILED, what good will it do to choose one of these actions?

    I hope KES is more sophisticated than it looks? Hopefully it's my lack of understanding as a newbie...

    Thanks!

    Legacy Forum Name: KES detects threats, but all result in CLEAN FAILED?,
    Legacy Posted By Username: ReedMikel
  • we are having same problem -- talked to tech support over a week ago, they were going to call me back, but never did.

    Legacy Forum Name: KES,
    Legacy Posted By Username: gcappas
  • We also have the threat clean failed too often for our liking.

    To fix the FULL scan issue is easy. Go to the Security Tab/Define Profile. For each profile that you use, Disable the "Run System Scan upon KES Start Up" option. On the upgrade to Kaseya 2008 this option was added, and default to enabled.

    What I don't think Kaseya realizes with this option is that the KES services restart several times per day due to updates. This causes the computers to be re-scanned each time. I have found that even on fast computers a full scan takes about 1-2 hours.

    Legacy Forum Name: KES,
    Legacy Posted By Username: far182
  • On the machine which is showing you the threats, you should run the AVG Control Console and take a look at the logs to see what the threats are.

    We are just demoing KES but from what I've seen tracking cookies get counted as threats but not logged as threats. Because of the high number of tracking cookies it is always catching this makes sense.

    Anyone able to confirm this?

    Legacy Forum Name: KES,
    Legacy Posted By Username: doug.jenkins@ispire.ca
  • We discovered the new "Run System Scan on KES Startup" option by trial and error. By disabling this on our Managed Services profile, we were able to resolve a lot of the complaints reported by users.

    The bigger issue we are having though is that KES does not handle any of the threats that it finds. It will detect a threat, but will not clean it or delete it. This is true with almost all threats that are detected. We are able to purge the quarantine list, but then the threats return with the next scan.

    We've been forced to use other anti-virus applications to clean the computers. In some cases, we've installed AVG locally onto a customer network since KES is not cleaning the problems.

    Also, with the customers that have AVG installed locally (not via KES), they are showing up in the security tab as having KES installed. We are not be charged for a license though. Is this a software bug, or a feature? Should we be able to manage a customer's local installation of AVG via Kaseya? If so, it would be a nice feature, but it doesn't appear to work.

    Legacy Forum Name: KES,
    Legacy Posted By Username: Netconex
  • As a new user (1 week), I must say how disappointed I am with KES. I was hoping that I had found an excellent Antivirus/antispyware solution that integrated into what looks like a very powerful MSP tool. But It sure seems kaseya has not done their homework with AVG. I think they do not know all the nuances of AVG, the settings it offers etc.

    The fact that others are seeing all, or lots, of CLEAN FAILED results is not encouraging Sad

    I hope I find the main Kaseya product to be better than KES? Though someone at Kaseya told me KES is only 6 months old, so maybe they can mature it in the next few months? Otherwise, what good is it if it simply reports threats?

    Anybody have a feel for why it fails to clean/disinfect so often? Is AVG that poor of a product, or is it more of a problem in how KES integrated it?

    My first client has a machine with 15 threats, none of which were fixed. I think I am going to image his hard drive, FTP it to myself, and load it on a test machine (hopefully I can get hold of an identical Dell PC). That way I could test out other AVAS solutions and see which one really does the job best... I wonder if it's possible to restore the infected image on to a virtual machine - rather than have to restore to identical hardware?

    Legacy Forum Name: KES,
    Legacy Posted By Username: ReedMikel
  • Can we get a respone here from Kaseya tech support -- 90% of my threat fail to clear or delete as well

    Legacy Forum Name: KES,
    Legacy Posted By Username: gcappas
  • Maybe this is why Zenith's switching to BitDefender.

    Legacy Forum Name: KES,
    Legacy Posted By Username: j.lee@carceron.net
  • I'm pretty new to KES, so apologies if I'm wrong here - please do put me straight. But it's my understanding (and the same is true of standalone AVG) that the 'clean failed' message is pretty much to be expected in most cases where you have selected the 'disinfect' option.

    What action types have you configured? If you have selected the 'disinfect' option, you're going to see a lot of clean failed messages - after all, there aren't many virus infections that leave cleanable files these days. It's what happens after clean failed that should matter - the file should then be quarantined or deleted. If one of those actions is taken subsequently and successfully, it shouldn't show in reports as a 'clean failed'.

    Lee

    Legacy Forum Name: KES,
    Legacy Posted By Username: leeevans
  • In my case, I believe many of the CLEAN FAILED situations were the result of registry entries which I guess cannot be "cleaned" (ie disinfected). Registry stuff probably has to be deleted. I later changed my KES profiles to also have the Delete box checked (under Resident Protect->Action). Presumably now any registry threats are deleted, so I no longer see the Clean Failed statuses...

    Legacy Forum Name: KES,
    Legacy Posted By Username: ReedMikel
  • So...a few comments

    Clean failed = KES / AVG attempting to extract the virus from the file and not being successful. This is typically due to the entire file being considered malware. We marked it as a "clean failed", and then happily moved the PUP to the vault. In reality, all was well on the machine. (I can't tell you how many tickets I've responded to with this scenairo)

    In KES 2.0 (the new name for KES 1.5), we split up the threats into a virus vault (those things which have been dealt with) and the current threats. In order to get to the virus vault, we

    1. Attempt to clean the file (as described above). The original is copied to the vault.
    2. Attempt to just move the file to the vault.
    3. Attempt to delete the file (without moving)

    All of these operations are considered "heal"-ing operations. The computer is left in an non-infected state.

    If all of these fail, then you'll see the infected file sitting on the drive and the admin UI will show the file as a current threat.

    Jeff

    Legacy Forum Name: KES,
    Legacy Posted By Username: Jeff.Keyes
  • So how about registry entries that are associated (created by) malware? Registry entries can't be "cleaned", right? I imagine the only thing that can be done with them is to delete them from the registry? And should that fail (e.g. registry permissions insufficient), then I guess one could say "clean failed"?

    Legacy Forum Name: KES,
    Legacy Posted By Username: ReedMikel
  • Registry entries can be deleted and/or reset, and it's normally done during removal.

    Detection is often prior to the malware actually running, so it shouldn't have had any time to make registry changes. However, in the event that it's a prior infection, then with new signatures, the removal process should include both file removal and registry cleanup.

    A "Clean failed" would be if the entire package was malware, hence there really isn't anything to remove... Or, there wasn't anything left once the bad part was removed.

    Legacy Forum Name: KES,
    Legacy Posted By Username: Lmhansen
  • Support had told me that if the KES profile did not have [] Delete checked (under Resident Protect and somewhere else I think), then malware-related registry entries would never get deleted - and result in "Clean Failed". But I've never really had that confirmed by Jeff...

    Legacy Forum Name: KES,
    Legacy Posted By Username: ReedMikel
  • How is KES allowing malware to modify a "protected" machine's registry? Who's slacking?

    Legacy Forum Name: KES,
    Legacy Posted By Username: j.lee@carceron.net