Problem:
KAV/KAM shows defintion out of date in Kaseya VSA whereas on the endpoint Kaspersky and Malwarebytes has definition upto date
Cause:
1. Information related to the new definition update has not been uploaded to kaseya server. The necessary kalua messages that contain this definition update have been created though.
2. The kalua messages that contain this definition date have not been created by kalua files on the endpoint.
Solution:
1. Please verify that the contents of 'C:\Program Files\Kaseya\TESTAK10277708566327\KaluaLogs\Kalua\KaLuaCoreKaLuaLogLogger\' , 'C:\Program Files\Kaseya\TESTAK10277708566327\KaluaLogs\KAV\KAVClientMessageKAVMessageLogger\' and 'C:\Program Files (x86)\Kaseya\TESTAK10277708566327\KaluaLogs\KAM\KAMClientMessageKAMMessageLogger\' are being processed. If you see messages coming into these folders but not being uploaded to kaseya server then please verify if you see 'KaLuaCoreKaLuaLogLogger.xml' and 'KAVClientMessageKAVMessageLogger.xml' and 'KAMClientMessageKAMMessageLogger.xml' under 'C:\Program Files\Kaseya\TESTAK10277708566327\kMsgQUploadCfg\' folder.
Note that you won't see KAM files or KAV files if the endpoint only has KAV or KAM. But if you have both KAV and KAM installed on this machine, you will see all above xml files. For example you only have KAM installed on this machine, therefore you will only see below shown folder and files
If these above shown 2 xml files in screenshot are missing, please perform a repair install of relevant product(either KAV or KAM)
Below is a screenshot for the folders on a machine where KAV has been installed but not KAM
You can also check agentmon.log file to see if these lua message files are being uploaded or not. Entries like below in agentmon.log would mean the log files are being uploaded, therefore there are continuous lines for 'Detected file create','Detected file change','Reporting file','Detected file delete'
Below is an example of how it will show up for a message "out324481437.kalua" in agentmon.log file
2015/03/27 09:43:55.570 [814]: [DirMon] Detected file create "C:\Program Files\Kaseya\TESTAK10277708566327\KaluaLogs\KAV\KAVClientMessageKAVMessageLogger\out324481437.kalua"
2015/03/27 09:43:55.586 [814]: [DirMon] Detected file change "C:\Program Files\Kaseya\TESTAK10277708566327\KaluaLogs\KAV\KAVClientMessageKAVMessageLogger\out324481437.kalua"
2015/03/27 09:44:10.617 [f90]: [DirMon] 1 changed file(s) to report
2015/03/27 09:44:10.617 [f90]: [DirMon] Reporting file C:\Program Files\Kaseya\TESTAK10277708566327\KaluaLogs\KAV\KAVClientMessageKAVMessageLogger\out324481437.kalua plugin KAVClientMessage class Logger conduit KAVMessage params
2015/03/27 09:44:10.633 [814]: [DirMon] Detected file delete "C:\Program Files\Kaseya\TESTAK10277708566327\KaluaLogs\KAV\KAVClientMessageKAVMessageLogger\out324481437.kalua"
- If the messages are being uploaded but you still see the issue,please verify on the kaseya server that folder 'C:\Kaseya\UserProfiles\@MsgQueIn' is accessible and not corrupted. Also please verify the same kalua message files(as shown above) uploaded from endpoint's folder 'KaluaLogs\KAM\KAMClientMessageKAMMessageLogger' or 'KaLuaCoreKaLuaLogLogger' or 'KAVClientMessageKAVMessageLogger' are not getting stored in 'C:\Kaseya\UserProfiles\@MsgQueIn'. These messages should be processed and deleted from this folder as Kaseya transfers the information to the database.
- Please verify if message queue on kaseya server is processing these messages by checking computer management>services and applications>message queuing>private queues>kes.service and kam.service>queue message
or
- Queue messages should not have messages stacking up. If you see such case please restart kaseya antivirus or kaseya antimalware service on the kaseya server. You may need to restart Kaseya plugin host and kaseya event service as well if the messages still show up as stacked up.
2. If the relevant kalualogs message files are not being generated by the lua scripts on endpoint, then this could mean an issue with kalua files. Please follow below steps to make sure this is not the case
- Please rename below folders
- Note: Please do this for KAM folders if the issue is related to KAM
- Program Files\Kaseya\Scripts\KAV to KAV.OLD
- Program Files (x86)\Kaseya\Scripts\KAV to KAV.OLD
- Program Files (x86)\Kaseya\ExtDLLs\KaLua.DLL to KaLua.DLL.OLD
- <kworking directory>\KAV to KAV.OLD
- Now please run a repair install on this machine and follow that with an update of virus definition from kam,kav>update
- Please verify the issue after this
Kaseya Support can check if there is any kalua file issue on the endpoint or on the kaseya server.So please contact kaseya support if you would like to investigate this issue further from here
Further investigation
- Please provide screenshots from the endpoint UI of kaspersky or malwarebytes showing the definition on endpoint is upto date but the vsa one is different
- Please also provide agentmon.log from the agent install directory of the endpoint
Applies to:
KAV/KAM, vsa on premise