Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SayoojDinan
Participant

Anti-Malware unable to update. No connection to the server (DAT signature).

Dear Checkmates,

After successfully deploying the endpoint client on my Windows server machine, I am unable to update the DAT signature from the local endpoint server.

Error Message : Anti-Malware unable to update. No connection to the server.

Initial troubleshooting steps followed:

>Checked connectivity to the endpoint server :: OK

>Tried updating the Anti-malware database from the endpoint server :: OK 

 

Please find the below ERROR logs collected from the client.

EiKav [error] KAV engine isn't initialized [AMEngine::Kav::KavProtectionEngine::ChangeSettings]
2024-02-09 11:31:24.210 t:2532 epam [error] Error applying new engine settings [AntiMalware::Protection::ProtectionController::HandleNotifyGeneralBladeSettings]
2024-02-09 11:31:24.210 t:2532 epam [info ] There is reload request, checking for running scans... [AntiMalware::Protection::ProtectionController::ControlAVEngine]
2024-02-09 11:31:24.210 t:3080 EiKav [info ] Loading Kav library from: 'C:\Program Files (x86)\CheckPoint\Endpoint Security\Anti-Malware\Avsys' [AMEngine::Kav::KavProtectionEngine::LoadAvLibraryInternal]
2024-02-09 11:31:24.215 t:3080 EiKav [info ] kaveLoad success [AMEngine::Kav::KavProtectionEngine::LoadAvLibraryInternal]
2024-02-09 11:31:24.215 t:3080 epam [info ] AV Library checkpoint.E1 is loaded [AMEngine::ProtectionEnginePrototype::Initialize]
2024-02-09 11:31:24.215 t:3080 EiKav [info ] Set KAV Engine log level to 0 [AMEngine::Kav::KavLogManager::SetLevel]
2024-02-09 11:31:24.218 t:3080 EiKav [info ] AV Library Initializing ScannerHostType 896, cloud protection is enabled, Bases Path : 'C:\ProgramData\CheckPoint\Endpoint Security\Anti-Malware\bases\8_10_0'; Temp Path : 'C:\ProgramData\CheckPoint\Endpoint Security\Anti-Malware\temp'; License Path : 'C:\Program Files (x86)\CheckPoint\Endpoint Security\Anti-Malware\Avsys\license'; Quarantine path : 'C:\ProgramData\CheckPoint\Endpoint Security\Anti-Malware\quarantine' [AMEngine::Kav::KavProtectionEngine::InitializeKavEngine]
2024-02-09 11:31:24.219 t:3080 EiKav [info ] kaveSetSettings() success [AMEngine::Kav::KavProtectionEngine::InitializeKavEngine]
2024-02-09 11:31:24.223 t:2544 epam [info ] Engine status reported as NOT initialized, version info is reset [AntiMalware::EpamDafDaAdaptor::DafDaProxy::HandleEngineStatus]
2024-02-09 11:31:24.223 t:2544 epam [info ] Engine status reported as NOT initialized, version info is reset [AntiMalware::EpamDafDaAdaptor::DafDaProxy::HandleEngineStatus]
2024-02-09 11:31:24.223 t:2544 epam [info ] Engine status reported as NOT initialized, version info is reset [AntiMalware::EpamDafDaAdaptor::DafDaProxy::HandleEngineStatus]
2024-02-09 11:31:24.224 t:3036 epam [error] Failed to update Engine status with 'ENGINE_INITIALIZING(1)', HRESULT == 0x8000000a [AntiMalware::Adaptors::EpamUiProxy::HandleEngineStatus]
2024-02-09 11:31:24.226 t:3036 epam [error] Failed to update Engine status with 'ENGINE_INITIALIZING(1)', HRESULT == 0x8000000a [AntiMalware::Adaptors::EpamUiProxy::HandleEngineStatus]
2024-02-09 11:31:24.227 t:3036 epam [error] Failed to update Engine status with 'ENGINE_INITIALIZING(1)', HRESULT == 0x8000000a [AntiMalware::Adaptors::EpamUiProxy::HandleEngineStatus]
2024-02-09 11:31:24.230 t:3036 epam [error] SendZDxItemUpdate(dwMapCookie, ZDX_SINK_TRAY, ZDX_EPAM_SERVICE, FALSE) failed, HRESULT == 0x8000000a [AntiMalware::Adaptors::EpamUiProxy::HandleNotifySystemTaskStatus]
2024-02-09 11:31:24.260 t:812 epam [info ] Add default media encryption [AntiMalware::SettingsStore::SettingsStore::AddDefaultInternal]
2024-02-09 11:31:24.264 t:3036 epam [error] SendZDxItemUpdate(dwMapCookie, ZDX_SINK_TRAY, ZDX_EPAM_SERVICE, FALSE) failed, HRESULT == 0x8000000a [AntiMalware::Adaptors::EpamUiProxy::HandleNotifySystemTaskStatus]
2024-02-09 11:31:24.265 t:3036 epam [error] SendZDxItemUpdate(dwMapCookie, ZDX_SINK_TRAY, ZDX_EPAM_SERVICE, FALSE) failed, HRESULT == 0x8000000a [AntiMalware::Adaptors::EpamUiProxy::HandleNotifySystemTaskStatus]
2024-02-09 11:31:24.266 t:3036 epam [error] SendZDxItemUpdate(dwMapCookie, ZDX_SINK_TRAY, ZDX_EPAM_SERVICE, FALSE) failed, HRESULT == 0x8000000a [AntiMalware::Adaptors::EpamUiProxy::HandleNotifySystemTaskStatus]
2024-02-09 11:31:24.267 t:3036 epam [error] SendZDxItemUpdate(dwMapCookie, ZDX_SINK_TRAY, ZDX_EPAM_SERVICE, FALSE) failed, HRESULT == 0x8000000a [AntiMalware::Adaptors::EpamUiProxy::HandleNotifySystemTaskStatus]
2024-02-09 11:31:24.271 t:3036 epam [error] SendZDxItemUpdate(dwMapCookie, ZDX_SINK_TRAY, ZDX_EPAM_SERVICE, FALSE) failed, HRESULT == 0x8000000a [AntiMalware::Adaptors::EpamUiProxy::HandleNotifySystemTaskStatus]
2024-02-09 11:31:24.272 t:3036 epam [error] SendZDxItemUpdate(dwMapCookie, ZDX_SINK_TRAY, ZDX_EPAM_SERVICE, FALSE) failed, HRESULT == 0x8000000a [AntiMalware::Adaptors::EpamUiProxy::HandleNotifySystemTaskStatus]
2024-02-09 11:31:24.289 t:2532 EiKav [info ] Engine version: 8.10.0.511 [AMEngine::Kav::KavProtectionEngine::GetVersionInternal]
2024-02-09 11:31:24.289 t:812 epam [info ] Add default Rescan Quarantine [AntiMalware::SettingsStore::SettingsStore::AddDefaultRescanQuarantine]
2024-02-09 11:31:24.291 t:3036 epam [info ] UI updated with KEY_ENGINE_VERSION = '8.10.0.511' and KEY_SIG_VERSION = '' [AntiMalware::Adaptors::EpamUiProxy::HandleEngineVersion]
2024-02-09 11:31:24.291 t:2284 epam [info ] EventMonitor updated with KEY_ENGINE_VERSION = '8.10.0.511' and KEY_SIG_VERSION = '' [AntiMalware::Protection::EventMonitor::HandleNotifyEngineVersionMsg]
2024-02-09 11:31:24.483 t:812 epam [info ] Calculate internal scan settings [AntiMalware::SettingsStore::SettingsStore::CalculateInternalScanSettings]

+PFA for more details.

Can anyone help me in providing insights to this problem I am facing.

Thanks in advance.

***********

Regards,

@SayoojDinan 

 

 

 

0 Kudos
15 Replies
PhoneBoy
Admin
Admin

What is the client version?
What is the management version/JHF? (or is this managed via Infinity Portal)

0 Kudos
SayoojDinan
Participant

Hey @PhoneBoy ,

I'm using the recommended client version E87.52.2005, which is managed by an R81.10  MGMT server (JHF 130).

Thanks in advance.

***********

Regards,

@SayoojDinan 

0 Kudos
the_rock
Legend
Legend

Is it just one machine with this issue or multiple?

Andy

0 Kudos
SayoojDinan
Participant

Hey @the_rock ,

Yes, I am facing this problem on multiple windows production servers and also on my test machine installed with the recommended agent version(E87.52.2005).

As soon as i upgraded them, they are taking an older DAT signature(202211171844) and won't fetch the update after on.

Thanks in advance.

***********

Regards,

@SayoojDinan

0 Kudos
the_rock
Legend
Legend

Gotcha...is this on prem endpoint server or the cloud one?

Andy

0 Kudos
SayoojDinan
Participant

@the_rock 

It's an On-prem endpoint server.

****

Sayooj

0 Kudos
the_rock
Legend
Legend

See if below helps, specially this part.

Andy

https://community.checkpoint.com/t5/Endpoint/Anti-Malware-Database-Update-Fails-No-Connection-To-Ser...

 

I was having the same problem here, in my lab. What solved my problem was the procedure found in sk141033 - "Anti-Malware cannot update signatures from Endpoint Security Server". I have just tested it successfully.

0 Kudos
SayoojDinan
Participant

@the_rock 

Thanks for the quick reply. But I have already tried this in my lab setup and I did not see any progress, also can you please tell me what exactly is happening in the back-end when we install this script on the management server.

Is there any other steps that might solve this problem?

*******

Sayooj

0 Kudos
the_rock
Legend
Legend

I really could not say mate, sorry. That question is better suited for TAC. If this is urgent issue, I would call them and see if you can do remote session.

Best,

Andy

(1)
_Val_
Admin
Admin

The most probable reason is that the management server cannot reach the update database server. Look here: https://support.checkpoint.com/results/sk/sk83520 and make sure the server can reach to KAV8 servers.

0 Kudos
SayoojDinan
Participant

@_Val_ 

I don't see any connectivity issue to the external server, please find the below output.

Last login: Mon Feb 12 14:21:21 2024 from 192.168.150.200
[Expert@EDR_MGMT:0]# curl_cli -v http://kav8.checkpoint.com/version.txt
* Trying 23.217.111.240...
* TCP_NODELAY set
* Connected to kav8.checkpoint.com (23.217.111.240) port 80 (#0)
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Content-Length: 89
< Content-Type: text/plain
< ETag: "bb64abb03e253339e40a9e68e8b9aac4:1707722410.9318"
< Last-Modified: Mon, 12 Feb 2024 07:21:50 GMT
< Server: AkamaiNetStorage
< Expires: Mon, 12 Feb 2024 09:07:09 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Mon, 12 Feb 2024 09:07:09 GMT
< Connection: keep-alive
<
VERSION: 20240211222001
MD5: aec953faada3c1fe0413c92ed98be39b
KAV8_VERSION: 202402120600
* Connection #0 to host kav8.checkpoint.com left intact
[Expert@EDR_MGMT:0]#

The major problem here is that the client is not able to fetch the AM updates from the management server even though it's having the latest DAT signatures and connectivity.

*******

Sayooj

0 Kudos
_Val_
Admin
Admin

Yes, there is no issue with the connectivity.

I took a look at your logs again, and this does not seem to be right: "Engine status reported as NOT initialized, version info is reset"

Please make sure you deployed the agents with the correct config, and Ani-Malware engine is enabled in the policy. If you still cannot figure out the issue, I recommend a TAC case.

(1)
the_rock
Legend
Legend

Yeah, connectivity part seems fine.

anand_narine
Participant

Is the AM blade enabled or disabled on the client? What about your AM policy ?

0 Kudos
the_rock
Legend
Legend

On mine its not, no.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events