How to troubleshoot LANDesk Device Control

This article details the troubleshooting steps for LANDesk Device Control.

LANDesk Device control uses settings defined in .XML files called "behavior files", in the same way that Agent Behavior or Scan and Repair settings use behavior files.

LANDesk Device Control Installation

In order for LANDesk Device Control to be installed on a device, the following must occur.

1. Endpoint Security must be checked as a component in the Agent Configuration - Start - Agent Components to install section.

2. The proper Endpoint Security setting must be selected in the Agent Configuration - Security and Compliance - Endpoint Security - Machine Configuration section.

3. Within the selected Endpoint Security Setting, Device Control must be selected as one of the Security Policies to install.

Note: If the Agent was installed without Endpoint Security, Endpoint Security can be installed later by pushing an "Install/Update Security Configurations" task from the Security Configurations Tool "Create a Task" drop-down.

Important Files in LANDesk Device Control

Files within LDCLIENT\HIPS directory:

          DCM.LOG : Device Control Manager Device Log file
          DCMVOLUMES.LOG : Device Control Manager Volumes Log file
          DCM.XML : Device Control Manager behavior file.

Files within \Documents And Settings\All Users\Application Data\LDSEC directory (Prior to Windows Vista) or  \ProgramData\LDSEC directory (Vista and later)

          BVD.RPT - File used for display of data within client EPS gui.
          LDSECSVC-DCM-DEBUG.LOG - Debug log for Device Control Manager
          HIPSCLIENTCONFIG-HIPS-debug.log - Log file for HIPSCLIENTCONFIG.EXE
          This program is used when installing Endpoint Security

Files within \Documents And Settings\All Users\Application Data\Vulscan directory (Prior to Windows Vista) or \ProgramData\Vulscan directory (Vista and later)

          HipsBehavior_(CoreServerName)_ID#.XML - Mainly contains Trusted Location information for HIPS and LANDesk Firewall
          HipsBehavior_(CoreServerName)_ID#.ZIP - .ZIP file containing all Endpoint Security behavior .XML files.
          ActionHistory.(ClientIPAddress).sent.#.xml - Action history sent from client to the core.
          vulscan.log or vulscan.#.log - useful for troubleshooting installation, change settings

          softmon.log - logs ActionHistory activity for actions sent to core by the Softmon process

Important Registry Keys

      HKLM\Software\LANDesk\HIPS\

          Settings - Current EPS settings.
          Known Volumes - Volumes that were present at the time of the DCM policy installation.   These should be excluded from the volume policy.

Note: In order to reset the "Known volumes" list, right-click the EPS system tray icon, select "Options, enter the Administrator password and click the blue text in the lower left hand corner "Reset known volumes".

General Troubleshooting steps

• Are the Device Control Settings on the core server configured correctly for the expected outcome?
  
  - Check the Device Control Settings in the Security Configurations Tool on the Core Server)
  - Make sure you are looking in the correct group - My, Public or All
  - Make a note of the ID #, Name, and Revision # for the Device Control Setting
  

• Do the Device Control Settings match what is listed on the Core Server?

- Check which Endpoint Security setting is active on the client

     Look in the registry at: HKLM\Software\LANDesk\ManagementSuite\WinClient\Vulscan

              /servlet/JiveServlet/downloadImage/102-9853-23-16889/DCMRegistrySettings.jpg

            Does the Behavior ID, Name and Revision match the core setting? (If different, run Vulscan /changesettings /showui)

            Within the DCM.XML file in the LDCLIENT\HIPS directory, do the settings match what is expected?

• Examine the log files (DCM.LOG and DCMVOLUMES.LOG in LDCLIENT\HIPS)  (Best way to gather is by turning on debug logging)

         - Do any of the ActionHistory.(ClientIPAddress).ID#.sent.xml files that contains the action expected?

            If not, duplicate the failure again and check the ActionHistory XML files.

How actions are sent from the Client to the core server

Whenever an action takes place (A device is blocked, shadow copy activity takes place, etc) this activity is recorded in the ActionHistory.(ClientIPAddress).ID#.xml file.   If no further activity takes place within 2 minutes, Softmon will send this information to the core server.   Otherwise every time Vulscan runs, it gathers the ActionHistory information and sends it to the core server.   This ActionHistory information gets stored in the HIPSAction table in the database and is displayed in the Security Activity window.   After the ActionHistory is sent, the .XML is renamed to .SENT.XML.   11 copies of this file are kept on the client.  .sent and then .sent #'s 1-10.

If ActionHistory is sent during a Vulnerability Scan, this action will be logged in the Vulscan.log file
If ActionHistory is sent via Softmon, this is logged in the Softmon.log file

Items to gather and send to the LANDesk Support technician:

1. GetSystemInfo Report
2. Debug Logs
3. Exported Security Configuration Settings
4. If issue is a blue screen, gather a Kernel Mode Memory dump

Instructions for gathering this information follows:

Gather a GetSystemInfo report

The GetSystemInfo gathers details information about a computer, including hardware information, operating systems, drivers, installed, software, etc.  This utility can be very useful for determining the cause of certain issues.

1. Run GetSystemInfo.exe on the computers with the problem.
2. Click the button Create report in the right part of the main window.
3. Wait until the utility has completely scanned the system.
4. Click OK to confirm the creation of a report.

A file will be created with the default name GetSystemInfo_<USER>_YYYY_MM_DD.zip.

Attach this report to your created case, or e-mail it to your LANDesk Support technician.

Turning on Debug Logging within LANDesk Endpoint Security

(For a video example of this process, see the GatherDebugLogs.zip attachment to this article)

The easiest way to gather all of the useful log and behavior files is to turn on debug logging.   This will collect all files and compile them into a .CAB file on the desktop.

The following steps must be taken when gathering HIPS debug logs for LDMS 9.5:

1. On the affected client right-click the Endpoint Security system tray icon and select "Open"
2. In the LANDesk Endpoint Security window, click on the "Options" button in the top right, it looks like a wrench and screwdriver crossing.
3. In the Options window, click on the "Troubleshooting Logs: Disabled" link at the bottom of the window. It will switch to "Troubleshooting Logs: Enabled"
4. Duplicate the issue that you wish to capture in the logs. If this requires a reboot, reboot at this time.
5. Go to the Options window and click on the "Troubleshooting Logs: Enabled" link, it will switch back to "Disabled" and you will see a script run that automatically copies all the needed troubleshooting logs to the desktop into the "Logs.cab" and "Logs.def" files.

The following steps must be taken when gathering HIPS debug logs for LDMS 9.0:

1. Create the following  DWORD registry key on the affected client:

"HKLM\Software\LANDesk\HIPS\Settings\DebugLevel" set to: 0xffffffff (enter 0xfffffff by clicking "Hexidecimal" and entering "F" eight times)

2. Right-click the Endpoint Security system tray icon and select "Stop services"
3. Run Endpoint Security again by clicking the "LANDesk Endpoint Security" icon from within the "LANDesk Management" program group.
4. Within the Endpoint Security GUI you should now have a blue "Collect debug logs" link at the top of the "Status" main pane.
5. Duplicate the issue that you wish to capture in the logs. If this requires a reboot, reboot at this time.
6. Click the "Collect debug logs" link in the EPS GUI.

This will compile the following files and place them in a "Logs.cab" on the desktop.

Windows 2000/XP/2003:
C:\Documents and Settings\All Users\Application Data\LDSec\*.*, C:\Documents and Settings\All Users\Application   Data\Vulscan\ActionHistory*.xml

Windows Vista and higher:
C:\ProgramData\LDSec*.*, C:\ProgramData\vulscan\ActionHistory*.xmlLDClient\HIPS\*.log, *.xml, *.def, *.idx

If the problem is a Blue Screen,collect a Kernel Memory Dump

1. Right-click "My computer" and choose "Properties"

2. Go to the "Advanced" tab and then click "Settings" under "Startup and Recovery"

3. Under the "System failure" section under "Write debugging information" click the drop-down and select "Kernel memory dump".

4. Make note of the path that the MEMORY.DMP file will be saved to.
5. Duplicate the blue screen issue and then collect the MEMORY.DMP file and compress it in a .ZIP file.

A kernel memory dump must be supplied, a mini memory dump does not supply sufficient information.

Summary of items gathered:

The following is the list of files to be supplied to the Support Technician:

GetSystemInfo_Computername_Username_Date_time.zip– From GetSystemInfo

Logs.cab - From "Gather Debug Logs"

Endpoint Security Settings ##.ldms  - From exporting the Endpoint Security Setting
(Note, this filename will differ based on what you have named the setting)

Device Control Setting ##.ldms - From exporting the Device Control Setting
(Note, this filename will differ based on what you have named the setting)

MEMORY.DMP - If issue was a bluescreen and you have gathered a Kernel memory dump

MEMORY.DMP will likely be too large to attach to an e-mail.
If this is the case, name your .ZIP file of MEMORY.DMP to "LANDesk Case # Memory Dump.zip" and upload to ftp://ftp.landesk.com/incoming