Enabling Additional Threat Scan Tracing For A Single Agent

Version 3

    Purpose

     

    The purpose of this document is to provide steps to enable additional logging surrounding threat scans.

     

    Symptoms

     

    If there is a problem with threat scan detection we may need full tracing from the threat (antivirus) scan.

     

    Resolution

     

    1. Go to the client (agent) system where you are seeing the issue.

    2. Open Services.msc, and stop the following services:

              Shavlik Protect Agent

              Shavlik Protect Agent Dispatcher

              Shavlik Protect Threat Engine 

    3. Open task manager, Processes, and end the STAgentUI.exe process. (Displayed as Agent UI in Windows 8/Server 2012 process manager.) All other agent processes should have ended when the services were stopped.        

    4. Delete or move ALL the files that currently exist in the following directory:

         v.9.x on Windows 7,8,2008,Vista,2012: C:\ProgramData\LANDesk\Shavlik Protect\Logs

         v.9.x on Windows XP or 2003: C:\Documents and Settings\All Users\Application Data\LANDesk\Shavlik Protect\Logs

    5. Go into the following directory:

         v.9.x on 64bit: C:\Program Files (x86)\LANDesk\Shavlik Protect Agent

         v.9.x on 32bit: C:\Program Files\LANDesk\Shavlik Protect Agent

    6. Locate the STThreat.exe.config, and open the file in a text editor.

    7. Find the line that states:

         <threatServiceStartup preventAPIfIncompatiblesExist="false" debugFiles="false" tslog="false"/>

         Change it to the following:

         <threatServiceStartup preventAPIfIncompatiblesExist="true" debugFiles="true" tslog="true"/>

         Then locate the line:

         <add name="NativeLog" type="FileLog" initializeData="|LOGDIRECTORY|\STThreat.log" maximumFileSize="20000000" maximumNumberOfFiles="2"/>

         Change it to the following:

         <add name="NativeLog" type="FileLog" initializeData="|LOGDIRECTORY|\STThreat.log" maximumFileSize="20000000" maximumNumberOfFiles="30"/>

    8. Save the file.

    9. Start all the agent services back up (see step two).

    10. Start the agent. You can do this by opening the agent UI from the start menu (paths below) or by going into the program files directory and running the STAgentUI.exe.

         v.9.x: Start > All Programs > Shavlik Protect > Shavlik Protect Agent

    11. Run a full threat scan or recreate the issue.

    12. Once the scan is complete or you have reproduced, zip and send ALL the files that now exist in the directory mentioned in step four.

         Note: Some of the additional logging created may be in XML format.

     

    Description

     

    How-To

     

    Affected Product(s)

     

    Shavlik Protect 9.x