Chapter 10 - Troubleshooting

  • Article

 

Applies to: Microsoft Antigen

The following topics describe how to troubleshoot problems that can occur when using the Antigen Enterprise Manager (AEM):

  • Troubleshooting errors resulting from an incorrect IIS or ASP.NET configuration
  • Troubleshooting problems when deploying an agent to a remote server
    • Troubleshooting AEM connection errors during installation
    • Troubleshooting agent deployment errors resulting from the Pushinstaller process
    • Troubleshooting agent deployment errors resulting from using different user credentials
  • Troubleshooting installation package or template deployment issues
  • Troubleshooting scan engine signature updates in AEM
    • Troubleshooting scan engine update issues on the remote server
  • Troubleshooting problems that occur with statistics gathering and reporting
  • Troubleshooting a "service is unavailable" error
  • Verifying AEM user accounts and permissions

Note

If you require additional technical support after following these troubleshooting steps, contact Microsoft Help and Support.

Troubleshooting errors resulting from an incorrect IIS or ASP.NET configuration

AEM works in conjunction with Internet Information Services (IIS) and ASP.NET. Therefore, problems that occur while using the AEM console may be related to IIS or ASP.NET.

After you install AEM, you may not be prompted for a password, and you may be unable to navigate through the console. This is likely caused by an incorrect IIS or ASP.NET configuration.

The following are error messages that may also indicate an incorrect IIS or ASP.NET configuration:

  • "The page cannot be found."
  • "Server Error in '/SEMConsole' Application. Access denied to 'C: \Program File\Microsoft Antigen Enterprise Manager\SEMConsole\Default.aspx'. Failed to start monitoring file changes."
  • "Server Error in '/SEMConsole' Application. The resource cannot be found."

To resolve these errors, it is recommended that you uninstall and then reinstall AEM and the Microsoft .NET Framework.

To uninstall and then reinstall AEM and the .NET Framework

  1. Uninstall AEM. For information, see “Uninstalling” in “Chapter 2 – Installation” in the Microsoft Antigen Enterprise Manager User Guide.

  2. Uninstall the .NET Framework runtime. For information, see your .NET Framework documentation.

  3. Reinstall AEM. The .NET Framework is automatically reinstalled. For more information, see “Installing” in “Chapter 2 – Installation” in the Microsoft Antigen Enterprise Manager User Guide.

If the errors persist, it is recommended that you verify your IIS configuration.

To verify the IIS configuration

  1. Click Start, click Run, type compmgmt.msc, and then click OK.

  2. Expand Services and Applications, expand Internet Information Services (IIS) Manager, expand Web Sites, and then expand Default Web Site.

  3. Right-click SEMConsole, and then click Properties.

  4. Click the Virtual Directory tab, and then in the Application settings area, click Configuration.

  5. In the Application Configuration dialog box, in the Application extensions list, verify that ASPX is listed. Additionally, verify that ASPX maps to the following location:

    C:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll

If your IIS configuration is correct, it is recommended that you verify the permissions of the local SUSR_ComputerName account.

To verify the SUSR_ComputerName account permissions

  • In Windows Explorer, locate the directories that are listed in the following table, and then verify that the SUSR_ComputerName account has been assigned the correct permissions.

Directory

SUSR_ ComputerName account permissions

C:\Program Files\Microsoft Antigen Enterprise Manager\SEMConsole

Read only

C:\Windows\Temp

Read, write, delete

C:\Windows\system32

Read only

C:\Windows\assembly

Read only

C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322

Read only

C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files

Read only

C:\Inetpub\wwwroot

Read only

Troubleshooting problems when deploying an agent to a remote server

The deployment of agents to remote systems can be complex because of the interactions between the Universal Naming Convention (UNC) and server message blocks (SMB) and DCOM protocols on the remote systems. The following subtopics describe issues that may occur when AEM deploys the agent to the remote server.

Troubleshooting AEM connection errors during installation

Note

Typically, errors occur during installation because of incorrect configurations, firewalls, or locked files on the remote system. The Windows operating system sends any error messages that you receive when connecting to the remote server.

If you receive an error message when attempting to connect to the remote server, you should determine if the connection failure occurred because of an operating system or network issue. Using the same user name and password that you attempted to use through AEM, map a drive to the following share on the remote server:

\\ComputerName\admin$

If this does not work, this means that a firewall or an incorrect network configuration is blocking the connection. Contact your network administrator to help you resolve this issue on the server side.

Troubleshooting agent deployment errors resulting from the Pushinstaller process

When you try to deploy an AEM agent, the error message *"*Failed to deploy the Agent. Reason: The requested operation cannot be performed on a file that has a user-mapped section open" may appear in the status window.

This error occurs if you unsuccessfully attempt to deploy an agent multiple times. Usually, this error message means that the Pushinstaller.exe process is still running on the remote server. If this file is locked, you cannot deploy the agent remotely. To resolve this issue, locate the following folder on the remote Antigen server, and then delete the Pushinstaller.exe file:

\\ComputerName\admin$\temp

Note

If you cannot delete the Pushinstaller.exe file, try renaming it. If you are also unable to rename it, you probably need to stop the Pushinstaller.exe process before deleting the Pushinstaller.exe file. Remotely log on to the server, open Task Manager, and then stop the Pushinstaller.exe process. Alternatively, you can stop the Pushinstaller.exe process in Services Control Manager (click Start, point to Administrative Tools, and then click Services).

Troubleshooting agent deployment errors resulting from using different user credentials

When attempting to deploy an agent, the error message "Error adding network connection: The credentials supplied conflict with an existing set of credentials" may appear in the status window.

This error message appears if you previously connected to the remote server by using a different set of credentials. For example, if you mapped a remote drive to the remote server by using one user name and password in Windows and then you tried to map another drive to the same server by using different credentials, you may receive this message.

Typically, this error message disappears after AEM is inactive for several minutes, and then AEM functions properly. However, you can disconnect immediately by shutting down Microsoft.SEM.Services.

To shut down Microsoft.SEM.Services

  1. Close the AEM console.

  2. Open Component Services by clicking Start, pointing to All Programs, pointing to Administrative Tools, and then clicking Component Services.

  3. Expand Component Services, expand Computers, expand My Computer, and then expand COM+ Applications.

  4. Right-click Microsoft.SEM.Services, and then click Shutdown.

  5. Exit Component Services.

Troubleshooting installation package or template deployment issues

After an agent is installed on the remote server, you can deploy a package or a template file to the remote system. If a deployment is unsuccessful, you can use the following troubleshooting steps to resolve your deployment issues. To troubleshoot deployment issues, there are several different items to verify on the AEM server and the remote server.

On the AEM server, verify that the directories exist and have the proper permissions, and verify that Message Queuing is installed. Also check the Application Event log for errors, and check DCOM connectivity on the AEM server.

To verify that the AEM server is configured properly

  1. Verify that the following directories exist on the AEM server:

    • \\SEMServer\SybariRedistribution$
    • C:\Program Files\Microsoft Antigen Enterprise Manager\SEMServices\Redistribution

  2. Verify that the share can be accessed from the remote system from which you are attempting to deploy the template or installation package.

  3. Use the Search feature to locate the Template.adb file or the Antigen installation file that was uploaded in the following location:

    Redistribution\packages

  4. If no messages are displayed on the AEM console when you attempt to deploy a package or template, view the Security log on the AEM server in order to see the logon successes and failures of the SNTF_ComputerName account.

  5. If messages are not being displayed, or if you receive only one initial message, verify that Message Queuing is installed by performing the following steps. Additionally, verify that messages are not building up in the queue.

    1. Click Start, click Run, type compmgmt.msc, and then click OK.

    2. Under Computer Management, expand Services and Applications, expand Message Queuing, expand Private Queues, expand Microsoft.sem.notification, and then click Queue Messages. The pane on the right should be blank.

    3. Right–click microsoft.sem.notification, and then click Properties.

    4. On the Security tab, verify that the Everyone group is assigned Receive Message and Peek Message permissions.
      If any permission is missing, or if you see messages building up in the queue, then Message Queuing and Message Queuing Triggers are incorrectly configured. This condition results in no messages being posted back to the user.

    5. To confirm that the permissions are correctly configured, make sure that the SMGR_ComputerName, Network Service, and local Administrator accounts have the same rights as the Everyone group (Receive Message and Peek Message permissions) by checking the settings for each of these accounts.

      Note

      If Message Queuing or Message Queuing Triggers are incorrectly configured, AEM must be reinstalled in order to correct this condition. Once AEM has been reinstalled, the deployment agents must also be redeployed to the managed servers.

  6. On the computer that is running AEM, view the Application Event log in order to determine whether it is connected to the remote system.

  7. To verify that DCOM can be used to connect to the remote server, try to map a UNC share to the remote server. Additionally, try to connect the local Service Control Manager to the remote server.

    This step helps you determine whether the computers are behind a firewall and whether the computers can make a DCOM connection to the remote server.

On the remote server, verify its deployment by checking the Application and AntigenInstall logs for related errors. Also, confirm that the SDEP_ComputerName account is configured correctly, and confirm that the directories exist and have the proper permissions.

To verify that the remote server is configured properly

  1. On the remote server, view the Application Event log in order to determine whether any error messages are recorded from the Deployment Agent (the Event Source) regarding Notification Agent access to the AEM server (the Description).

    For example, look for user name and password errors for the SNTF_ComputerName account.

  2. Verify that the SDEP_ComputerName account is configured correctly by performing the following steps:

    1. Click Start, click Run, type compmgmt.msc, and then click OK.
    2. Expand System Tools, expand Local Users and Groups, and then click Users.
    3. Verify that the SDEP_ComputerName account exists.
    4. Double-click SDEP_ComputerName, and then select the Password never expires check box.
    5. Clear the User must change password at next logon check box, and then click OK.

  3. In Windows Explorer, navigate to the following location in order to make sure that the folder exists:

    Windows\temp\SybariCache\

  4. Search the Windows\temp\SybariCache\ folder and its subdirectories for the file that you tried to deploy. This image is the same .exe or .adb file that was originally uploaded as a package.

  5. View the following file in order to locate any errors:

    C:\Antigeninstall.log

Troubleshooting scan engine signature updates in AEM

AEM can be configured to automatically update scan engine signature files on all of your managed Antigen servers. In the event that a problem occurs while updating the scan engines, you can use the following steps to try to resolve the issue.

To troubleshoot scan engine update issues on the AEM server

  1. On the AEM console, confirm that AEM is configured to use the correct update site in order to download the updated signature files. This should be the following site:

    antigendl.microsoft.com/antigen

  2. In Windows Explorer, navigate to the following folders in order to determine whether they exist:

    • \\SEMServer\SybariRedistribution$
    • drive**:\Program Files\Microsoft Antigen Enterprise Manager\SEMServices\Redistribution**

  3. Verify that the following share can be accessed from the remote system:

    \\SEMServer\SybariRedistribution$

  4. Search the following folder in order to determine whether the signature files that are being downloaded exist:

    Redistribution\scan_engine_updates

  5. If the signature files exist, verify that the manifest.xml file is correct and is the most recent version by performing the following steps:

    1. In Windows Explorer, open the following folder:
      drive**:\Program Files\Microsoft Antigen Enterprise Manager\SEMServices\Redistribution\SybariCache\x86\ScanEngineName\Package\**MostRecentDate

    2. Open the Manifest.cab file, and then double-click the Manifest.xml file. The version number of the engine is included in the Manifest.xml file. Confirm that this is the latest version by comparing it to a new Manifest.xml file by downloading the latest Manifest file from the following Microsoft Web site:
      https://antigendl.microsoft.com/antigen/x86/***ScanEngineName*/**Package/manifest.cab

      Note

      Replace ScanEngineName with the name of the scan engine for which you are downloading the Manifest file. For example, use one of the following: Norman, Microsoft, Sophos, CAVet, Command, AhnLab, Antigen, VBuster, Kasperky or SpamCure.

    3. Save the file to a temporary folder.

    4. Extract the enclosed Manifest.xml file from the Manifest.cab file that you downloaded.

    5. Open the Manifest.xml file by double-clicking the file. Make note of the version number of the engine that is included in the Manifest.xml file, and then compare it to the file that exists in the AEM directory. If the items in step 3 and step 4 are verified to be correct, then the error likely occurred during redistribution. View the Application Event log on the AEM server in order to determine whether any log entries describe failures connecting to the remote system. These errors can help you to pinpoint download errors.

Troubleshooting scan engine update issues on the remote server

To troubleshoot scan engine update issues on the remote server, first use Windows Explorer to determine if the signature update files exist in the following folder:

C:\Windows\Temp\SybariCache

If the files exist, they were successfully downloaded to the remote system, and the problem may be occurring during the GetEngineFiles process on the remote system. To troubleshoot GetEngineFiles problems on the remote system, review these Knowledge Base (KB) articles:

If the files do not exist, the error occurred during the engine download process.

To troubleshoot a problem with the engine download process

  1. Stagger AEM updates and Antigen updates so that the updates occur at different times. It is recommended you configure AEM to update the scan engines every 30 to 60 minutes and that you configure Antigen to update the scan engines from the HTTP site once per day. For information on how to do this, see "Manage Jobs" in the Microsoft Antigen Enterprise Manager User Guide, and "File scanner updating overview" in the Microsoft Antigen for Exchange User Guide.

  2. Try to map a UNC share to the remote computer by using DCOM from the AEM server. Do this to verify connectivity to the remote server.

  3. On the AEM server, try to connect the local Service Control Manager to the remote computer. This process confirms that you are not behind a firewall and that you can obtain DCOM connections to the remote computer.

Viewing error messages in the Application Event Log

When both AEM and Antigen are scheduled to download updates at the same time, you may receive the following error message in the Application Event Log. However, this is not a problem because Antigen is still successfully updated.

If both of the following error messages appear together, it means that both AEM and Antigen are scheduled to download updates at the same time. If these messages do not appear together, you may be experiencing a different engine update problem.

"Event Type: Error

Event Source: GetEngineFiles

Description: The description for Event ID (6063) in Source (GetEngineFiles) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: GetEngineFromHTTP function failed."

"Event Type: Error

Event Source: DeploymentAgent

Description: Error "Access is denied." (0x80070005) creating notifier on "SEMServer"."

Troubleshooting problems that occur with statistics gathering and reporting

AEM can perform enterprise-wide reporting. Statistics can be viewed from a group of servers instead of from each server.

Statistics are gathered and correlated on each computer that is running Antigen. This means Antigen keeps statistics for 15 minutes, and then the statistics are removed from memory and saved to disk.

By default, AEM polls the computers that are running Antigen and then retrieves the data that has been saved to disk every 240 minutes. The retrieval rate can be changed to as short as every 15 minutes by using the Global Configuration on the AEM console. For more information, see “Configuring Global Settings” in “Getting Started” in the Microsoft Antigen Enterprise Manager User Guide.

Alternatively, you can use the Poll Now feature. However, the Poll Now feature retrieves only data that was saved to disk. Statistics about anything that occurred in the past 15 minutes may not appear yet.

Most errors that occur with statistics gathering and reporting are caused by communication errors between AEM and the remote system. In order to determine if the communication problem is on the AEM or the remote-server side, you must check both the AEM and remote servers for errors.

To determine where the error is occurring on AEM

  1. View the Application log in Event Viewer in order to determine whether errors are recorded about the connection to the remote computer.

    If there are no errors related to the connection to the remote computer, proceed to step 2.

    If such errors are recorded, follow these steps:

    1. To determine whether you can make a DCOM connection, connect to the remote computer by using a UNC share.
    2. Connect the service control manager to the remote computer.
    3. Connect the Antigen Administrator to Antigen on the AEM server. If Antigen cannot connect, DCOM may not be functioning correctly.
    4. Make sure that the client has deployed an agent to the remote computer. If an agent was not deployed, DCOM cannot connect.

  2. View the Application log in Event Viewer in order to determine whether the following message "SQL Server Scheduled Job 'StatisticsJob'" from SQLAgent$SEMDB is recorded.

    If the message exists, follow steps a and b.

    If the message does not exist, proceed to step 3.

    1. To make sure that the job was triggered, on the AEM server, click Poll Now in order to poll the remote server.

    2. Change the polling interval by one minute, and then save the job. For example, change 15 minutes to 16 minutes. Do this to make sure that the change is recognized.

      Note

      Depending on the size of your organization, a polling problem can be caused by the length of time it takes to poll the servers. During this period, other requested operations (for example, At A Glance) may not update completely.

  3. On the AEM server, click Poll Now in order to gather updated statistics.

To determine where the error is occurring on Antigen

  1. Make sure that the AntigenStatisticsService service is running.

  2. Verify that the Statistics.xml file exists in the following folder:

    drive**:\Program Files\Microsoft Antigen for Exchange**.

Troubleshooting a service is unavailable error

When you launch AEM, if you only see the message "Service Unavailable", a permission may have been removed from the DCOM component.

To add permissions on the DCOM component

  1. Click Start, click Run, type dcomcnfg, and then click OK.

  2. In the Component Services dialog box, expand Component Services, expand Computers, expand My Computer, and then expand DCOM Config.

  3. Right-click IIS Admin Service, and then click Properties.

  4. Click the Security tab.

  5. In the Launch and Activation Permissions section, select Customize, and then click Edit.

  6. In the Launch Permissions dialog box, select Authenticated Users.

  7. In the Permissions for Authenticated Users section, for the Local Launch and Local Activation permissions, select the Allow check boxes.

  8. Click OK to return to the Security tab, and then click OK again to return to the Component Services dialog box.

  9. Exit the Component Services dialog box.

  10. From a command prompt, restart IIS by issuing the iisreset command.

Verifying AEM user accounts and permissions

The following user accounts and local security policies must be configured for you to administer Antigen by using AEM. Checking that they are correctly configured is a good best practice when troubleshooting AEM issues.

The following user accounts, groups, and local security policies must be configured on AEM.

User account Required groups Required local security policies

SUSR_ComputerName

Local Users

Log on as a batch job

Deny logon locally

Log on as a service

SADM_ComputerName

Users

Local Administrator

Log on as a batch job

Deny logon locally

Log on as a service

SMGR_ComputerName

Users

Act as part of the operating system

Log on as a batch job

Deny logon locally

Log on as a service

SNTF_ComputerName

Local Users

Log on as a batch job

Deny logon locally

Log on as a service

The following user account, groups, and local security policy must be configured on Antigen.

User account Required group Required local security policy

SDEP_ComputerName

Local System access

Local Admin

Log on as a batch job

To verify account group membership

  1. On the AEM server, click Start, click Run, type compmgmt.msc, and then click OK.

  2. Under Computer Management, expand Local Users and Groups, and then click Users.

  3. Right-click a user account, for example SUSR_ComputerName, and then click Properties.

  4. On the Member Of tab, confirm that the account is a member of the required groups.

  5. If any group is missing, click Add, and then click OK.

  6. Repeat steps 3 through 5 for the other required AEM user accounts.

  7. On the Antigen server, repeat steps 1 through 5 for the SDEP_ComputerName user account.

To verify local security policies

  1. On the AEM server, in Control Panel, open Administrative Tools, and then open Local Security Policy.

  2. In the Local Security Settings dialog box, expand Local Policies, and then click User Rights Assignment.

  3. Right-click each of the required security policies, and then select Properties to verify that the corresponding accounts are listed on the Local Security Setting tab.

  4. If any of the necessary accounts are missing, add them by clicking Add User or Group and then entering the user account, and then click OK.

  5. On the Antigen server, repeat steps 1 through 4 in order to ensure that the SDEP_ComputerName user account has been granted access to the Log on as a batch job policy.