Purpose

The purpose of this document is to provide steps to enable additional logging surrounding threat scans.

Symptoms

If there is a problem with threat scan detection we may need full tracing from the threat (antivirus) scan.

Resolution

1. Go to the client (agent) system where you are seeing the issue.

2. Open Services.msc, and stop the following services:

          Shavlik Protect Agent

          Shavlik Protect Agent Dispatcher

          Shavlik Protect Threat Engine 

3. Open task manager, Processes, and end the STAgentUI.exe process. (Displayed as Agent UI in Windows 8/Server 2012 process manager.) All other agent processes should have ended when the services were stopped.        

4. Delete or move ALL the files that currently exist in the following directory:

     v.9.x on Windows 7,8,2008,Vista,2012: C:\ProgramData\LANDesk\Shavlik Protect\Logs

     v.9.x on Windows XP or 2003: C:\Documents and Settings\All Users\Application Data\LANDesk\Shavlik Protect\Logs

5. Go into the following directory:

     v.9.x on 64bit: C:\Program Files (x86)\LANDesk\Shavlik Protect Agent

     v.9.x on 32bit: C:\Program Files\LANDesk\Shavlik Protect Agent

6. Locate the STThreat.exe.config, and open the file in a text editor.

7. Find the line that states:

     <threatServiceStartup preventAPIfIncompatiblesExist="false" debugFiles="false" tslog="false"/>

     Change it to the following:

     <threatServiceStartup preventAPIfIncompatiblesExist="true" debugFiles="true" tslog="true"/>

     Then locate the line:

     <add name="NativeLog" type="FileLog" initializeData="|LOGDIRECTORY|\STThreat.log" maximumFileSize="20000000" maximumNumberOfFiles="2"/>

     Change it to the following:

     <add name="NativeLog" type="FileLog" initializeData="|LOGDIRECTORY|\STThreat.log" maximumFileSize="20000000" maximumNumberOfFiles="30"/>

8. Save the file.

9. Start all the agent services back up (see step two).

10. Start the agent. You can do this by opening the agent UI from the start menu (paths below) or by going into the program files directory and running the STAgentUI.exe.

     v.9.x: Start > All Programs > Shavlik Protect > Shavlik Protect Agent

11. Run a full threat scan or recreate the issue.

12. Once the scan is complete or you have reproduced, zip and send ALL the files that now exist in the directory mentioned in step four.

     Note: Some of the additional logging created may be in XML format.

Description

How-To

Affected Product(s)

Shavlik Protect 9.x