Skip navigation
1 2 Previous Next 13831 Views 21 Replies Latest reply: Aug 14, 2009 9:46 AM by Tracy RSS
Currently Being Moderated

Aug 12, 2009 9:01 PM

Missing Vulscan executable.  Why?

Just on a whim I created a query to show when the last vulnerablity scan was done, and found over 200 machines that hadn't scanned in > 7 days.  On every machine that I tried (20+) the machine was missing Vulscan.exe.

 

Aside from users deleting Vulscan.exe has anyone seen any time where Vulscan.exe disappears?

 

I have a case with Tech Support open because Vulscan.exe is causing high CPU and Memory utilization, so I assume these machine may have been having the same issue, and rather than the users notifying me they just deleted Vulscan.exe.  But that's just an assumption.

 

So, anyone?

 

I am definately open to thoughts, comments, or even other reasons why this may occur.

 

Thanks,

Chris

  • ahe Expert 862 posts since
    Dec 21, 2007

    Has received 4 of 9 achievements.
    Currently Being Moderated
    1. Aug 13, 2009 1:43 AM (in response to Dataspike)
    Re: Missing Vulscan executable.  Why?

    Hello Chris,

     

    did you check the logs of your virus scanner?

     

    We've had the situation that a new (buggy) signature blocks some apps or killed the (exe) files... :-|

     

    Additionally did you check if your virus scanner can be configured not to check the running vulscan.exe. We did it with inventory scanner and vulscan, because otherwise the performance of our clients slow down...

     

    Regards

    Axel

  • phoffmann SupportEmployee 2,644 posts since
    Dec 11, 2007

    Has received 7 of 9 achievements.
    Currently Being Moderated
    2. Aug 13, 2009 2:16 AM (in response to ahe)
    Re: Missing Vulscan executable.  Why?

    False positives are a definitive option, Ahe - good one. Though traditionally AV vendors tend to pick on SOFTMON.EXE (for some reason) more often, I'm not aware of a vulscan-mistake yet, but definately something worth checking out.

     

    As for the process-level scanning, that's VERY important to turn off - LDISCN32 (inventory scanner) and VULSCAN (the vulnerability scanner) both have a LOT of I/O in their own right already. If the AV wants to scan every single thing that those two touch, then you're causing yourself a massive overhead. Some things are just better not to have scanned on a process level .

     

    - Paul Hoffmann

    LANDesk EMEA Technical Lead

  • Rookie 32 posts since
    Jul 27, 2009

    Has received 1 of 9 achievements.
    Currently Being Moderated
    3. Aug 13, 2009 5:16 AM (in response to phoffmann)
    Re: Missing Vulscan executable.  Why?

    Are you all using LANDesk AV as well? Is LDAV smart enough to exclude ldiscn32 and vulscan from it's scanning process or should it be manually configured for exclusion? I/O and cpu util is a touchy subject in my world so anything I can do to limit that is helpful.

  • ahe Expert 862 posts since
    Dec 21, 2007

    Has received 4 of 9 achievements.
    Currently Being Moderated
    4. Aug 13, 2009 5:21 AM (in response to gitrdonegreg)
    Re: Missing Vulscan executable.  Why?

    Hello,

     

    no currently we don't use LD AV, we use McAfee + ePO... but I don't know how long we will use McAfee + ePO, it's so buggy...

     

    Regards

    Axel

  • phoffmann SupportEmployee 2,644 posts since
    Dec 11, 2007

    Has received 7 of 9 achievements.
    Currently Being Moderated
    5. Aug 13, 2009 5:31 AM (in response to gitrdonegreg)
    Re: Missing Vulscan executable.  Why?

    gitrdonegreg wrote:

     

    Are you all using LANDesk AV as well? Is LDAV smart enough to exclude ldiscn32 and vulscan from it's scanning process or should it be manually configured for exclusion? I/O and cpu util is a touchy subject in my world so anything I can do to limit that is helpful.

     

    Please note that when I was talking about excluding LDISCN32 and VULSCAN from process-level scanning I was talking about a feature that McAffee and a few others have.

     

    "Traditional" approach to AV is this (essentially) -- Scan the binary that's being run ... and any other binary it acceesses.

     

    Process level scanning == "Scan the binary that's being run and any file / whatever this file touches".

     

    This is the "increased paranoia level" - which is good if you've got viruses that may try to sneak into non-executables or so, but is a very big problem for stuff such as LDISCN32 / VULSCAN which essentially trawl through your entire hard drive (or the Inventory Service on the Core, for instance). This would turn a single scan into essentially 2-3 HD-wide scans, costing a LOT of I/O .

     

    I didn't mean to insinuate that vulscan.exe / ldiscn32.exe should themselves be not scanned - after all, they - like any file - can get infected. I hope that this clarifies things a bit?

     

    - Paul Hoffmann

    LANDesk EMEA Technical Lead.

  • Rookie 32 posts since
    Jul 27, 2009

    Has received 1 of 9 achievements.
    Currently Being Moderated
    6. Aug 13, 2009 6:55 AM (in response to phoffmann)
    Re: Missing Vulscan executable.  Why?

    understood. and from what I can tell, LDAV does not scan processes and any files touched by those processes? we are only scanning for infectable files at this point.

  • jmichno Apprentice 204 posts since
    Jan 11, 2008

    Has received 1 of 9 achievements.
    Currently Being Moderated
    7. Aug 13, 2009 7:10 AM (in response to gitrdonegreg)
    Re: Missing Vulscan executable.  Why?

    As anyone seen where a process called system spikes to 100 percent cpu

    util?  I think it is av's scheduled scan process,but not sure.  Has anyone

    else seen this or know where I can go to verify and ultimately fix it?

     

    Sent with Good (www.good.com)

  • phoffmann SupportEmployee 2,644 posts since
    Dec 11, 2007

    Has received 7 of 9 achievements.
    Currently Being Moderated
    8. Aug 13, 2009 7:11 AM (in response to gitrdonegreg)
    Re: Missing Vulscan executable.  Why?

    gitrdonegreg wrote:

     

    understood. and from what I can tell, LDAV does not scan processes and any files touched by those processes? we are only scanning for infectable files at this point.

     

    That is correct. LDAV does not scan processes.

     

    - Paul Hoffmann

    LANDesk EMEA Technical Lead.

  • Tracy Expert 406 posts since
    Nov 27, 2007

    Has received 5 of 9 achievements.
    Currently Being Moderated
    9. Aug 13, 2009 8:46 AM (in response to Dataspike)
    Re: Missing Vulscan executable.  Why?

    I think I may know what is going on here. I have seen where Vulscan determines that it needs an update from the core, it downloads the updated vulscan libraries, but the process doesn't finish for whatever reason... Now you are left with your vulscan.exe renamed to vulscan.old... and no exe to complete the update process.

     

    If I remember correctly, I brought this up with development and some safeguards preventing this issue have been implemented going forward.

     

    My recommendations for your current situation (if you haven't taken care of it already)

     

    Create a software distribution job to  either rename the vulscan.old to vulscan.exe or to just copy down the vulscan.exe from ldlogon to the ldclient directory. Using an inventory query for vulscan version or similar shouls allow you to target needed machines.

     

    -Tracy

  • Rookie 32 posts since
    Jul 27, 2009

    Has received 1 of 9 achievements.
    Currently Being Moderated
    11. Aug 13, 2009 10:15 AM (in response to Dataspike)
    Re: Missing Vulscan executable.  Why?

    Are any of you currently using agent watcher? i compared the agent watcher report called "Monitored files not found on clients" against an inventory query for vulscan.exe and the results are quite different. Agent Watcher produced a much smaller list of machines without vulscan.exe than the inventory query, which would lead me to believe that

         1) We have alot of stale records out there in our DB or

         2) We have a much bigger problem than just vulscan.exe being missing. Maybe the agent is either corrupt? Not installed completely/properly?

     

    I guess I'm not sold that copying vulscan.exe back down to the problem machine will fix the issue, especially if (like you said Chris) there is not a current or old vulscan.exe file on the machine at all.

     

    Ricketts

  • Rookie 32 posts since
    Jul 27, 2009

    Has received 1 of 9 achievements.
    Currently Being Moderated
    12. Aug 13, 2009 10:18 AM (in response to jmichno)
    Re: Missing Vulscan executable.  Why?

    Jeremiah, we've had problems with CPU util as of late after flipping the switch on malware scanning. We've since had to disable it again so a full malware sweep does not occur with vulscan until we can figure out how to keep the clients from spiking and basically becoming useless for an extended period of time while that scan runs.

  • jmichno Apprentice 204 posts since
    Jan 11, 2008

    Has received 1 of 9 achievements.
    Currently Being Moderated
    13. Aug 14, 2009 1:11 AM (in response to gitrdonegreg)
    Re: Missing Vulscan executable.  Why?

    We have LDMS, AV, and patch... not LDSS.  Is there a doc that shows how to

    disable the malware scanning?  We are on 8.8 sp2a

     

    Thank You,

     

    <Message edited to remove e-mail addresses and such.>

     

    Message was edited by: Paul Hoffmann

1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 20 points
  • Helpful Answers - 10 points
LANDESK Community powered by Jive SBS® 4.5.7.1  |  Legal Notices  |  Privacy Policy  |  Icon 

TweeterOn Twitter  |  Icon FacebookOn Facebook © 2007 LANDESK Software