Gatekeeper brings Server 2012 to a total halt

RobFoneo

Hello,

One of our virtual Windows Server 2012 R2's (a Terminal Server) has blocked completely, for the second time in a week. I was forced to reboot the server, and even that did not go very easy.

From Event Viewer: "The description for Event ID 1 from source F-Secure Gatekeeper cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer."

The error happened on a Saturday night, and turned up every minute in Event Viewer all through the weekend. The error always refers to a file (apparently that's blocking some scanning?), this file changes over time.

Anyone has any ideas what is happening here? It has been two Monday mornings where an entire company could not log on to the Terminal Server due to this problem, so I'd hate this to happen again next weekend (though this time I'll check for it on Sunday).

Product:  F-Secure PSB Server Security 11.00 build 236 ; F-Secure Anti-Virus 9.51 build 184 .

 

Many thanks,

Rob

 

NickJ

Hi RobFoneo,

 

We have experienced the same issue (on a different OS), and we have a ticket open with F-Secure support at the moment. We have been told that this has been reported by other customers, and that it is being handled by R&D as an ongoing issue.

 

Our ticket has been open since November (!!), but we have recently been informed that there is a scanning platform update due this week which was intended to address this issue. Let's wait and see!

 

Nick

 

 

 

Ben

Hi, 

 

We released today a new scanner manager update(F-Secure Scanner Manager Update 2016-02-16_01).

Note that it might need a reboot to take full effect. 

 

If you still experience such issue with this update and after reboot, please contact or send your feedback to our support.

RobFoneo

Ben,
F-Secure Scanner Manager Update 2016-02-16_01 was apparently NOT installed through automatic updates (other F-Secure Scanner Manager Updates have been installed, last one on 2016-02-16_01).

Other updates (Aquarius etc.) have been installed the past days.
Check for updates says there's nothing new available.
Is there a way to install the update manually ?

Thank you for your help,
Rob

etomcat

Hello,

 

Maybe you could run the "AUA-reset" tool avalaible on F-Secure FTP site:

ftp://ftp.f-secure.com/support/tools/FSAUA-Reset/

 

The "AUA-reset" tool erases all updates and forces the computer to re-download and re-index them. It is a widely used panacea for various F-Secure software problems.

 

Note: if running AUA-reset on the endpoint doesn't resolve the problem, it may be necessary to run it on the F-Secure Policy Manager centralized control server, wait until the re-indexing settles down in 25-45 minutes and then run in on the endpoint. A full database set re-download can cause ~250MB data traffic from the net.

 

Yours Sincerely: Tamas Feher, Hungary.

RobFoneo

Received through mail:

------------------------

Dear Rob,

 

After further investigation, please be informed that the Event ID 1 is usually an indication of a deadlock between Gatekeeper 

(GK) and the OS (in easier terms, scanning is hanging). The symptom is the same for all cases (event ID 1), but the root cause can vary.

 

If the Schedule Scan is not turned on then its fine.

Please try to Disable the Scan Inside Archives/Scan Inside Compress Executable  in the Real-Time Protection Settings and monitor on this issue.  


Best regards,
Sugumaran

RobFoneo

I checked and scheduled scan was off - I left it like that.

The Scan Inside Archives/Scan Inside Compress Executable  in the Real-Time Protection Settings, was indeed enabled. I disabled this setting about a week ago and the error has not occured since, so this seems to have been the issue. However, keeping in mind that the error only occured twice in two weeks, I'll keep monitoring this for a while.

 

RobFoneo

Thanks Sugumaran, I've been monitoriung the server for several weeks now and the issue has never occured, so this was clearly the Solution!

Many thanks,

Rob