This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SayoojDinan
Participant
‎2024-02-09 01:39 AM

Anti-Malware unable to update. No connection to the server (DAT signature).

Dear Checkmates,

After successfully deploying the endpoint client on my Windows server machine, I am unable to update the DAT signature from the local endpoint server.

Error Message : Anti-Malware unable to update. No connection to the server.

Initial troubleshooting steps followed:

>Checked connectivity to the endpoint server :: OK

>Tried updating the Anti-malware database from the endpoint server :: OK 

 

Please find the below ERROR logs collected from the client.

EiKav [error] KAV engine isn't initialized [AMEngine::Kav::KavProtectionEngine::ChangeSettings]
2024-02-09 11:31:24.210 t:2532 epam [error] Error applying new engine settings [AntiMalware::Protection::ProtectionController::HandleNotifyGeneralBladeSettings]
2024-02-09 11:31:24.210 t:2532 epam [info ] There is reload request, checking for running scans... [AntiMalware::Protection::ProtectionController::ControlAVEngine]
2024-02-09 11:31:24.210 t:3080 EiKav [info ] Loading Kav library from: 'C:\Program Files (x86)\CheckPoint\Endpoint Security\Anti-Malware\Avsys' [AMEngine::Kav::KavProtectionEngine::LoadAvLibraryInternal]
2024-02-09 11:31:24.215 t:3080 EiKav [info ] kaveLoad success [AMEngine::Kav::KavProtectionEngine::LoadAvLibraryInternal]
2024-02-09 11:31:24.215 t:3080 epam [info ] AV Library checkpoint.E1 is loaded [AMEngine::ProtectionEnginePrototype::Initialize]
2024-02-09 11:31:24.215 t:3080 EiKav [info ] Set KAV Engine log level to 0 [AMEngine::Kav::KavLogManager::SetLevel]
2024-02-09 11:31:24.218 t:3080 EiKav [info ] AV Library Initializing ScannerHostType 896, cloud protection is enabled, Bases Path : 'C:\ProgramData\CheckPoint\Endpoint Security\Anti-Malware\bases\8_10_0'; Temp Path : 'C:\ProgramData\CheckPoint\Endpoint Security\Anti-Malware\temp'; License Path : 'C:\Program Files (x86)\CheckPoint\Endpoint Security\Anti-Malware\Avsys\license'; Quarantine path : 'C:\ProgramData\CheckPoint\Endpoint Security\Anti-Malware\quarantine' [AMEngine::Kav::KavProtectionEngine::InitializeKavEngine]
2024-02-09 11:31:24.219 t:3080 EiKav [info ] kaveSetSettings() success [AMEngine::Kav::KavProtectionEngine::InitializeKavEngine]
2024-02-09 11:31:24.223 t:2544 epam [info ] Engine status reported as NOT initialized, version info is reset [AntiMalware::EpamDafDaAdaptor::DafDaProxy::HandleEngineStatus]
2024-02-09 11:31:24.223 t:2544 epam [info ] Engine status reported as NOT initialized, version info is reset [AntiMalware::EpamDafDaAdaptor::DafDaProxy::HandleEngineStatus]
2024-02-09 11:31:24.223 t:2544 epam [info ] Engine status reported as NOT initialized, version info is reset [AntiMalware::EpamDafDaAdaptor::DafDaProxy::HandleEngineStatus]
2024-02-09 11:31:24.224 t:3036 epam [error] Failed to update Engine status with 'ENGINE_INITIALIZING(1)', HRESULT == 0x8000000a [AntiMalware::Adaptors::EpamUiProxy::HandleEngineStatus]
2024-02-09 11:31:24.226 t:3036 epam [error] Failed to update Engine status with 'ENGINE_INITIALIZING(1)', HRESULT == 0x8000000a [AntiMalware::Adaptors::EpamUiProxy::HandleEngineStatus]
2024-02-09 11:31:24.227 t:3036 epam [error] Failed to update Engine status with 'ENGINE_INITIALIZING(1)', HRESULT == 0x8000000a [AntiMalware::Adaptors::EpamUiProxy::HandleEngineStatus]
2024-02-09 11:31:24.230 t:3036 epam [error] SendZDxItemUpdate(dwMapCookie, ZDX_SINK_TRAY, ZDX_EPAM_SERVICE, FALSE) failed, HRESULT == 0x8000000a [AntiMalware::Adaptors::EpamUiProxy::HandleNotifySystemTaskStatus]
2024-02-09 11:31:24.260 t:812 epam [info ] Add default media encryption [AntiMalware::SettingsStore::SettingsStore::AddDefaultInternal]
2024-02-09 11:31:24.264 t:3036 epam [error] SendZDxItemUpdate(dwMapCookie, ZDX_SINK_TRAY, ZDX_EPAM_SERVICE, FALSE) failed, HRESULT == 0x8000000a [AntiMalware::Adaptors::EpamUiProxy::HandleNotifySystemTaskStatus]
2024-02-09 11:31:24.265 t:3036 epam [error] SendZDxItemUpdate(dwMapCookie, ZDX_SINK_TRAY, ZDX_EPAM_SERVICE, FALSE) failed, HRESULT == 0x8000000a [AntiMalware::Adaptors::EpamUiProxy::HandleNotifySystemTaskStatus]
2024-02-09 11:31:24.266 t:3036 epam [error] SendZDxItemUpdate(dwMapCookie, ZDX_SINK_TRAY, ZDX_EPAM_SERVICE, FALSE) failed, HRESULT == 0x8000000a [AntiMalware::Adaptors::EpamUiProxy::HandleNotifySystemTaskStatus]
2024-02-09 11:31:24.267 t:3036 epam [error] SendZDxItemUpdate(dwMapCookie, ZDX_SINK_TRAY, ZDX_EPAM_SERVICE, FALSE) failed, HRESULT == 0x8000000a [AntiMalware::Adaptors::EpamUiProxy::HandleNotifySystemTaskStatus]
2024-02-09 11:31:24.271 t:3036 epam [error] SendZDxItemUpdate(dwMapCookie, ZDX_SINK_TRAY, ZDX_EPAM_SERVICE, FALSE) failed, HRESULT == 0x8000000a [AntiMalware::Adaptors::EpamUiProxy::HandleNotifySystemTaskStatus]
2024-02-09 11:31:24.272 t:3036 epam [error] SendZDxItemUpdate(dwMapCookie, ZDX_SINK_TRAY, ZDX_EPAM_SERVICE, FALSE) failed, HRESULT == 0x8000000a [AntiMalware::Adaptors::EpamUiProxy::HandleNotifySystemTaskStatus]
2024-02-09 11:31:24.289 t:2532 EiKav [info ] Engine version: 8.10.0.511 [AMEngine::Kav::KavProtectionEngine::GetVersionInternal]
2024-02-09 11:31:24.289 t:812 epam [info ] Add default Rescan Quarantine [AntiMalware::SettingsStore::SettingsStore::AddDefaultRescanQuarantine]
2024-02-09 11:31:24.291 t:3036 epam [info ] UI updated with KEY_ENGINE_VERSION = '8.10.0.511' and KEY_SIG_VERSION = '' [AntiMalware::Adaptors::EpamUiProxy::HandleEngineVersion]
2024-02-09 11:31:24.291 t:2284 epam [info ] EventMonitor updated with KEY_ENGINE_VERSION = '8.10.0.511' and KEY_SIG_VERSION = '' [AntiMalware::Protection::EventMonitor::HandleNotifyEngineVersionMsg]
2024-02-09 11:31:24.483 t:812 epam [info ] Calculate internal scan settings [AntiMalware::SettingsStore::SettingsStore::CalculateInternalScanSettings]

+PFA for more details.

Can anyone help me in providing insights to this problem I am facing.

Thanks in advance.

***********

Regards,

@SayoojDinan 

 

 

 

Preview file
37 KB
Preview file
194 KB
0 Kudos
15 Replies
PhoneBoy
Admin
Admin
‎2024-02-09 05:37 PM

What is the client version?
What is the management version/JHF? (or is this managed via Infinity Portal)

0 Kudos
SayoojDinan
Participant
‎2024-02-10 02:19 AM
In response to PhoneBoy

Hey @PhoneBoy ,

I'm using the recommended client version E87.52.2005, which is managed by an R81.10  MGMT server (JHF 130).

Thanks in advance.

***********

Regards,

@SayoojDinan 

0 Kudos
the_rock
Legend
Legend
‎2024-02-10 10:34 AM
In response to SayoojDinan

Is it just one machine with this issue or multiple?

Andy

0 Kudos
SayoojDinan
Participant
‎2024-02-10 11:12 AM
In response to the_rock

Hey @the_rock ,

Yes, I am facing this problem on multiple windows production servers and also on my test machine installed with the recommended agent version(E87.52.2005).

As soon as i upgraded them, they are taking an older DAT signature(202211171844) and won't fetch the update after on.

Thanks in advance.

***********

Regards,

@SayoojDinan

0 Kudos
the_rock
Legend
Legend
‎2024-02-10 11:22 AM
In response to SayoojDinan

Gotcha...is this on prem endpoint server or the cloud one?

Andy

0 Kudos
SayoojDinan
Participant
‎2024-02-10 11:30 AM
In response to the_rock

@the_rock 

It's an On-prem endpoint server.

****

Sayooj

0 Kudos
the_rock
Legend
Legend
‎2024-02-10 11:36 AM
In response to SayoojDinan

See if below helps, specially this part.

Andy

https://community.checkpoint.com/t5/Endpoint/Anti-Malware-Database-Update-Fails-No-Connection-To-Ser...

 

I was having the same problem here, in my lab. What solved my problem was the procedure found in sk141033 - "Anti-Malware cannot update signatures from Endpoint Security Server". I have just tested it successfully.

0 Kudos
SayoojDinan
Participant
‎2024-02-10 11:44 AM
In response to the_rock

@the_rock 

Thanks for the quick reply. But I have already tried this in my lab setup and I did not see any progress, also can you please tell me what exactly is happening in the back-end when we install this script on the management server.

Is there any other steps that might solve this problem?

*******

Sayooj

0 Kudos
the_rock
Legend
Legend
‎2024-02-10 11:45 AM
In response to SayoojDinan

I really could not say mate, sorry. That question is better suited for TAC. If this is urgent issue, I would call them and see if you can do remote session.

Best,

Andy

(1)
_Val_
Admin
Admin
‎2024-02-12 12:41 AM

The most probable reason is that the management server cannot reach the update database server. Look here: https://support.checkpoint.com/results/sk/sk83520 and make sure the server can reach to KAV8 servers.

0 Kudos
SayoojDinan
Participant
‎2024-02-12 01:12 AM
In response to _Val_

@_Val_ 

I don't see any connectivity issue to the external server, please find the below output.

Last login: Mon Feb 12 14:21:21 2024 from 192.168.150.200
[Expert@EDR_MGMT:0]# curl_cli -v http://kav8.checkpoint.com/version.txt
* Trying 23.217.111.240...
* TCP_NODELAY set
* Connected to kav8.checkpoint.com (23.217.111.240) port 80 (#0)
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Content-Length: 89
< Content-Type: text/plain
< ETag: "bb64abb03e253339e40a9e68e8b9aac4:1707722410.9318"
< Last-Modified: Mon, 12 Feb 2024 07:21:50 GMT
< Server: AkamaiNetStorage
< Expires: Mon, 12 Feb 2024 09:07:09 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Mon, 12 Feb 2024 09:07:09 GMT
< Connection: keep-alive
<
VERSION: 20240211222001
MD5: aec953faada3c1fe0413c92ed98be39b
KAV8_VERSION: 202402120600
* Connection #0 to host kav8.checkpoint.com left intact
[Expert@EDR_MGMT:0]#

The major problem here is that the client is not able to fetch the AM updates from the management server even though it's having the latest DAT signatures and connectivity.

*******

Sayooj

0 Kudos
_Val_
Admin
Admin
‎2024-02-12 01:48 AM
In response to SayoojDinan

Yes, there is no issue with the connectivity.

I took a look at your logs again, and this does not seem to be right: "Engine status reported as NOT initialized, version info is reset"

Please make sure you deployed the agents with the correct config, and Ani-Malware engine is enabled in the policy. If you still cannot figure out the issue, I recommend a TAC case.

(1)
the_rock
Legend
Legend
‎2024-02-12 04:10 AM
In response to SayoojDinan

Yeah, connectivity part seems fine.

anand_narine
Participant
‎2024-02-17 09:05 AM
In response to the_rock

Is the AM blade enabled or disabled on the client? What about your AM policy ?

0 Kudos
the_rock
Legend
Legend
‎2024-02-17 11:19 AM
In response to anand_narine

On mine its not, no.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events