Is anyone else getting errors when Kaspersky tries to update? Starting yesterday evening, we have been getting errors on all CAS servers that:

Microsoft Forefront Protection encountered an error while performing a scan engine update.

   Scan Engine: Kaspersky

Thanks,

Bryan

Hi Bryan,

Are you still running into this issue?  If so, can you please turn on verbose logging in FPE and send us the logs so we can investigate?

Instructions to turn on Verbose logging.

1. Go to Forefront Shell command under Start > Programs > Microsoft Forefront Server Protection > Forefront Management Shell
2. Run the command:     Set-Fsetracing -Level verbose 
3. Allow the problem to reproduce.
4. After it does, run:     Set-Fsetracing -Level Information
5. Now the logging will be back to normal.
6. Run FSCDiag.exe and then send me the logs.

Thanks,

Neil

It looks like the ScanEngineTest.exe step is failing. It's happening on all our servers, so I'm thinking it's either a problem with the definition download, or a problem with the store on our redistribution Forefront server.   And I've tried deleting storage520.dat and everything under the Data\Engines\x86\Kaspersky folder.  Here's the event:

Faulting application name: ScanEngineTest.exe, version: 11.0.727.0, time stamp: 0x4ecad6cc

Faulting module name: klsrlsvc.ppl, version: 9.0.0.741, time stamp: 0x4d91b0e7

Exception code: 0xc0000005

Fault offset: 0x00003876

Faulting process id: 0x17b8

Faulting application start time: 0x01cf8cc7de37dabc

Faulting application path: f:\Program Files\Microsoft Forefront Protection for Exchange Server\ScanEngineTest.exe

Faulting module path: f:\Program Files\Microsoft Forefront Protection for Exchange Server\Data\Engines\x86\Kaspersky\bin\1406200004\klsrlsvc.ppl

Report Id: 1c94d49a-f8bb-11e3-b62c-005056860020

• Edited by Bryan Hitch 14 hours 3 minutes ago

Having the same problem here since yesterday.

It looks like the ScanEngineTest.exe step is failing. It's happening on all our servers, so I'm thinking it's either a problem with the definition download, or a problem with the store on our redistribution Forefront server.   And I've tried deleting storage520.dat and everything under the Data\Engines\x86\Kaspersky folder.  Here's the event:

Faulting application name: ScanEngineTest.exe, version: 11.0.727.0, time stamp: 0x4ecad6cc

Faulting module name: klsrlsvc.ppl, version: 9.0.0.741, time stamp: 0x4d91b0e7

Exception code: 0xc0000005

Fault offset: 0x00003876

Faulting process id: 0x17b8

Faulting application start time: 0x01cf8cc7de37dabc

Faulting application path: f:\Program Files\Microsoft Forefront Protection for Exchange Server\ScanEngineTest.exe

Faulting module path: f:\Program Files\Microsoft Forefront Protection for Exchange Server\Data\Engines\x86\Kaspersky\bin\1406200004\klsrlsvc.ppl

Report Id: 1c94d49a-f8bb-11e3-b62c-005056860020

• Edited by Bryan Hitch Friday, June 20, 2014 8:45 PM

It looks like the ScanEngineTest.exe step is failing. It's happening on all our servers, so I'm thinking it's either a problem with the definition download, or a problem with the store on our redistribution Forefront server.   And I've tried deleting storage520.dat and everything under the Data\Engines\x86\Kaspersky folder.  Here's the event:

Faulting application name: ScanEngineTest.exe, version: 11.0.727.0, time stamp: 0x4ecad6cc

Faulting module name: klsrlsvc.ppl, version: 9.0.0.741, time stamp: 0x4d91b0e7

Exception code: 0xc0000005

Fault offset: 0x00003876

Faulting process id: 0x17b8

Faulting application start time: 0x01cf8cc7de37dabc

Faulting application path: f:\Program Files\Microsoft Forefront Protection for Exchange Server\ScanEngineTest.exe

Faulting module path: f:\Program Files\Microsoft Forefront Protection for Exchange Server\Data\Engines\x86\Kaspersky\bin\1406200004\klsrlsvc.ppl

Report Id: 1c94d49a-f8bb-11e3-b62c-005056860020

• Edited by Bryan Hitch Friday, June 20, 2014 8:45 PM

It looks like the ScanEngineTest.exe step is failing. It's happening on all our servers, so I'm thinking it's either a problem with the definition download, or a problem with the store on our redistribution Forefront server.   And I've tried deleting storage520.dat and everything under the Data\Engines\x86\Kaspersky folder.  Here's the event:

Faulting application name: ScanEngineTest.exe, version: 11.0.727.0, time stamp: 0x4ecad6cc

Faulting module name: klsrlsvc.ppl, version: 9.0.0.741, time stamp: 0x4d91b0e7

Exception code: 0xc0000005

Fault offset: 0x00003876

Faulting process id: 0x17b8

Faulting application start time: 0x01cf8cc7de37dabc

Faulting application path: f:\Program Files\Microsoft Forefront Protection for Exchange Server\ScanEngineTest.exe

Faulting module path: f:\Program Files\Microsoft Forefront Protection for Exchange Server\Data\Engines\x86\Kaspersky\bin\1406200004\klsrlsvc.ppl

Report Id: 1c94d49a-f8bb-11e3-b62c-005056860020

• Edited by Bryan Hitch Friday, June 20, 2014 8:45 PM

Also having the same issue across all 7 exchange systems since 20/6

Andy

Also having the same issue here - looks to have been some sort of engine update as there are now 7 new files (kas_***).  Scanenginetest process never finishes & a new one is spawned with every update attempt.

Can you please try the following.

1)     Search registry for HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\sdk
2)     If it exists, export the registry key.
3)     Delete the registry key.
4)     Update Kaspersky again

Please let us know if this resolves the issue.

Thanks,

Neil

• Proposed as answer by RaiZl 21 hours 29 minutes ago
• Unproposed as answer by RaiZl 15 hours 46 minutes ago

found, exported and deleted the reg key but the update has still failed "testing the scan engine"

Andy

worked for me... thanks Rainer

• Edited by RaiZl 21 hours 28 minutes ago

Andy,

Can you please turn on verbose logging in FPE and send us the logs so we can investigate?

Instructions to turn on Verbose logging.

1. Go to Forefront Shell command under Start > Programs > Microsoft Forefront Server Protection > Forefront Management Shell
2. Run the command:     Set-Fsetracing -Level verbose 
3. Allow the problem to reproduce.
4. After it does, run:     Set-Fsetracing -Level Information
5. Now the logging will be back to normal.
6. Run FSCDiag.exe and let me know once completed and I will send you the link to send the logs.

http://technet.microsoft.com/en-us/library/dd639414.aspx

Thanks,

Neil

OK, I have the logs ready

Andy

Also having the same issue across all 7 exchange systems at one site since 20/6

A second site is fine.

Ive noticed that the failing site is currently running at engine version 8.1.8.79 whereas the working site is at v8.3.4.4 (engine summary in the FP2010Exchange console.

The failing site is at a lower Exchange service pack and cumulative update and also the FP2010 exchange console is a lower version also 11.0.713.0 as opposed to 11.0.727.0 at the working site.

I cant see any issues relating to this in the HR4 notes (http://support.microsoft.com/kb/2619883) but can anyone confirm the egnine requirements for Kaspersky 8.x and Exchange please and whether this matches their setups?

Andy

• Edited by Andydane 22 hours 26 minutes ago

Also having the same issue across all 7 exchange systems at one site since 20/6

A second site is fine.

Ive noticed that the failing site is currently running at engine version 8.1.8.79 whereas the working site is at v8.3.4.4 (engine summary in the FP2010Exchange console.

The failing site is at a lower Exchange service pack and cumulative update and also the FP2010 exchange console is a lower version also 11.0.713.0 as opposed to 11.0.727.0 at the working site.

I cant see any issues relating to this in the HR4 notes (http://support.microsoft.com/kb/2619883) but can anyone confirm the egnine requirements for Kaspersky 8.x and Exchange please and whether this matches their setups?

Andy

• Edited by Andydane Monday, June 23, 2014 12:24 PM

Also having the same issue across all 7 exchange systems at one site since 20/6

A second site is fine.

Ive noticed that the failing site is currently running at engine version 8.1.8.79 whereas the working site is at v8.3.4.4 (engine summary in the FP2010Exchange console.

The failing site is at a lower Exchange service pack and cumulative update and also the FP2010 exchange console is a lower version also 11.0.713.0 as opposed to 11.0.727.0 at the working site.

I cant see any issues relating to this in the HR4 notes (http://support.microsoft.com/kb/2619883) but can anyone confirm the egnine requirements for Kaspersky 8.x and Exchange please and whether this matches their setups?

Andy

• Edited by Andydane Monday, June 23, 2014 12:24 PM

Also having the same issue across all 7 exchange systems at one site since 20/6

A second site is fine.

Ive noticed that the failing site is currently running at engine version 8.1.8.79 whereas the working site is at v8.3.4.4 (engine summary in the FP2010Exchange console.

The failing site is at a lower Exchange service pack and cumulative update and also the FP2010 exchange console is a lower version also 11.0.713.0 as opposed to 11.0.727.0 at the working site.

I cant see any issues relating to this in the HR4 notes (http://support.microsoft.com/kb/2619883) but can anyone confirm the egnine requirements for Kaspersky 8.x and Exchange please and whether this matches their setups?

Andy

• Edited by Andydane Monday, June 23, 2014 12:24 PM

Ok, 2 hours after the successfull update, the scanangine errors came back again...

Faulting application name: ScanEngineTest.exe, version: 11.0.727.0, time stamp: 0x4ecad6cc
Faulting module name: klsrlsvc.ppl, version: 9.0.0.741, time stamp: 0x4d91b0e7
Exception code: 0xc0000005
Fault offset: 0x00003876
Faulting process id: 0x1394
Faulting application start time: 0x01cf8eda52792ce4
Faulting application path: C:\Program Files (x86)\Microsoft Forefront Protection for Exchange Server\ScanEngineTest.exe
Faulting module path: C:\Program Files (x86)\Microsoft Forefront Protection for Exchange Server\Data\Engines\x86\Kaspersky\bin\1406230002\klsrlsvc.ppl
Report Id: 90933762-facd-11e3-abae-005056bc5c98

and

Microsoft Forefront Protection encountered an error while performing a scan engine update.
   Scan Engine: Kaspersky
   Error Code: 0x80004005
   Error Detail: Description: An error occurred while loading the scan engine.

Can you please try the following.

1)     Search registry for HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\sdk
2)     If it exists, export the registry key.
3)     Delete the registry key.
4)     Update Kaspersky again

Please let us know if this resolves the issue.

Thanks,

Neil

• Proposed as answer by RaiZl Monday, June 23, 2014 1:21 PM
• Unproposed as answer by RaiZl Monday, June 23, 2014 7:04 PM

Can you please try the following.

1)     Search registry for HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\sdk
2)     If it exists, export the registry key.
3)     Delete the registry key.
4)     Update Kaspersky again

Please let us know if this resolves the issue.

Thanks,

Neil

• Proposed as answer by RaiZl Monday, June 23, 2014 1:21 PM
• Unproposed as answer by RaiZl Monday, June 23, 2014 7:04 PM
• Proposed as answer by WeetA 1 hour 55 minutes ago

Can you please try the following.

1)     Search registry for HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\sdk
2)     If it exists, export the registry key.
3)     Delete the registry key.
4)     Update Kaspersky again

Please let us know if this resolves the issue.

Thanks,

Neil

• Proposed as answer by RaiZl Monday, June 23, 2014 1:21 PM
• Unproposed as answer by RaiZl Monday, June 23, 2014 7:04 PM
• Proposed as answer by WeetA Thursday, June 26, 2014 8:54 AM

Can you please try the following.

1)     Search registry for HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\sdk
2)     If it exists, export the registry key.
3)     Delete the registry key.
4)     Update Kaspersky again

Please let us know if this resolves the issue.

Thanks,

Neil

• Proposed as answer by RaiZl Monday, June 23, 2014 1:21 PM
• Unproposed as answer by RaiZl Monday, June 23, 2014 7:04 PM
• Proposed as answer by WeetA Thursday, June 26, 2014 8:54 AM

worked for me... thanks Rainer

• Edited by RaiZl Monday, June 23, 2014 1:22 PM

worked for me... thanks Rainer

• Edited by RaiZl Monday, June 23, 2014 1:22 PM

worked for me... thanks Rainer

• Edited by RaiZl Monday, June 23, 2014 1:22 PM

We have exactly the same issue since 19.06.2014 in the evening. We tried to remove the files c:\Program data\Kaspersky SDK and Server Reboots, but nothing helped.

If we make am manual updat,e we see the kaspersky manifest.cab file downloading an extracting on the server an some seconds later the folder

E:\Program Files (x86)\Microsoft Forefront Protection for Exchange Server\Data\Engines\x86\Kaspersky\Bin\1406240001 vanishing and lateron the error is logged:

Faulting application name: ScanEngineTest.exe, version: 11.0.727.0, time stamp: 0x4ecad6cc

Faulting module name: klsrlsvc.ppl, version: 9.0.0.741, time stamp: 0x4d91b0e7

Exception code: 0xc0000005

Fault offset: 0x00003876

Faulting process id: 0x332c

Faulting application start time: 0x01cf8f69c43522d6

Faulting application path: e:\Program Files (x86)\Microsoft Forefront Protection for Exchange Server\ScanEngineTest.exe

Faulting module path: e:\Program Files (x86)\Microsoft Forefront Protection for Exchange Server\Data\Engines\x86\Kaspersky\bin\1406240001\klsrlsvc.ppl

Report Id: 020ee7ea-fb5d-11e3-9afa-e83935207746

---

Now I deleted the registry key an made a manual update. I am now waiting if the error appears again or problem ist fixed. I will post the result.

ok, it seems to be fixed after deleting the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\sdk

For further information: manual update worked but after automatic update the error appeared. Now after deleting the registry key (and folder of  Kaspersky sdk) the error is gone away.

Can you please try the following.

1)     Search registry for HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\sdk
2)     If it exists, export the registry key.
3)     Delete the registry key.
4)     Update Kaspersky again

Please let us know if this resolves the issue.

Thanks,

Neil

Is this an official problem acknowledged by Microsoft now.  Since the updates pushed out on the 19/06/2014 we have the problem across all Sharepoint and Exchange servers failing to update Kaspersky.  They Download, stage, and then if you're lucky ScanEngineTest.exe fails and roll's back the updates or if unlucky simply crashes and starts to have performance / service impacts on the servers.  A number of new files seem to have been coming down with the updates kas_cpconvert.dll.cab, kas_engine.dll.cab, kas_filtration.dll.cab, kas_gsg.dll.cab, kas_loader.dll.cab, kas_product.dll.cab, kas_uds.dll.cab.  Removing the earlier mentioned registry key allows a manual update but many affected servers do not have the key.  Obviously this is not a solution though.  Do we know the root cause?  Has Kaserpsky updated their engine again?

Hello

we got the same issue.

Microsoft Forefront Protection encountered an error while performing a scan engine update.
   Scan Engine: Kaspersky
   Error Code: 0x80004005
   Error Detail: Description: An error occurred while loading the scan engine.

0x80004005 is a permission issue.

So, we used Process Monitor to track the Access denied issue (filter: Process Name is "ScanEngineTest.exe" and Result is "ACCESS DENIED")

NT AUTHORITY\NETWORK SERVICE didn't have enough rights on C:\Windows\temp\sdk8 directory. ScanEngineTest.exe was unable to create/modify files under C:\Windows\temp\sdk8.

in our case, the owner of C:\Windows\temp\sdk8 was Administrators instead of NETWORK SERVICE.

To resolve the issue, we had to:
- set back NETWORK SERVICE as owner and propagate ownership
- reset permissions (remove all inheritable permissions then check inheritable and replace all child permissions)

After that, NETWORK SERVICE will recover its permissions on C:\Windows\temp\sdk8 subtree

Perform a manual Kaspersky engine update

Regards
Stphane

• Edited by WeetA 17 hours 18 minutes ago
• Proposed as answer by Dave G. _ 13 hours 1 minutes ago

Hello

we got the same issue.

Microsoft Forefront Protection encountered an error while performing a scan engine update.
   Scan Engine: Kaspersky
   Error Code: 0x80004005
   Error Detail: Description: An error occurred while loading the scan engine.

0x80004005 is a permission issue.

So, we used Process Monitor to track the Access denied issue (filter: Process Name is "ScanEngineTest.exe" and Result is "ACCESS DENIED")

NT AUTHORITY\NETWORK SERVICE didn't have enough rights on C:\Windows\temp\sdk8 directory. ScanEngineTest.exe was unable to create/modify files under C:\Windows\temp\sdk8.

in our case, the owner of C:\Windows\temp\sdk8 was Administrators instead of NETWORK SERVICE.

To resolve the issue, we had to:
- set back NETWORK SERVICE as owner and propagate ownership
- reset permissions (remove all inheritable permissions then check inheritable and replace all child permissions)

After that, NETWORK SERVICE will recover its permissions on C:\Windows\temp\sdk8 subtree

Perform a manual Kaspersky engine update

Regards
Stphane

This worked for me. I made the permissions change on the folder and then just let it update automatically on the next attempt. The Kaspersky engine updated itself to version 8.3.4.4 and updated to the latest definitions.

Thanks for getting to the root cause and finding a solution!

Hello

we got the same issue.

Microsoft Forefront Protection encountered an error while performing a scan engine update.
   Scan Engine: Kaspersky
   Error Code: 0x80004005
   Error Detail: Description: An error occurred while loading the scan engine.

0x80004005 is a permission issue.

So, we used Process Monitor to track the Access denied issue (filter: Process Name is "ScanEngineTest.exe" and Result is "ACCESS DENIED")

NT AUTHORITY\NETWORK SERVICE didn't have enough rights on C:\Windows\temp\sdk8 directory. ScanEngineTest.exe was unable to create/modify files under C:\Windows\temp\sdk8.

in our case, the owner of C:\Windows\temp\sdk8 was Administrators instead of NETWORK SERVICE.

To resolve the issue, we had to:
- set back NETWORK SERVICE as owner and propagate ownership
- reset permissions (remove all inheritable permissions then check inheritable and replace all child permissions)

After that, NETWORK SERVICE will recover its permissions on C:\Windows\temp\sdk8 subtree

Perform a manual Kaspersky engine update

Regards
Stphane

• Edited by WeetA Tuesday, June 24, 2014 5:29 PM
• Proposed as answer by Dave G. _ Tuesday, June 24, 2014 9:47 PM

Hello

we got the same issue.

Microsoft Forefront Protection encountered an error while performing a scan engine update.
   Scan Engine: Kaspersky
   Error Code: 0x80004005
   Error Detail: Description: An error occurred while loading the scan engine.

0x80004005 is a permission issue.

So, we used Process Monitor to track the Access denied issue (filter: Process Name is "ScanEngineTest.exe" and Result is "ACCESS DENIED")

NT AUTHORITY\NETWORK SERVICE didn't have enough rights on C:\Windows\temp\sdk8 directory. ScanEngineTest.exe was unable to create/modify files under C:\Windows\temp\sdk8.

in our case, the owner of C:\Windows\temp\sdk8 was Administrators instead of NETWORK SERVICE.

To resolve the issue, we had to:
- set back NETWORK SERVICE as owner and propagate ownership
- reset permissions (remove all inheritable permissions then check inheritable and replace all child permissions)

After that, NETWORK SERVICE will recover its permissions on C:\Windows\temp\sdk8 subtree

Perform a manual Kaspersky engine update

Regards
Stphane

• Edited by WeetA Tuesday, June 24, 2014 5:29 PM
• Proposed as answer by Dave G. _ Tuesday, June 24, 2014 9:47 PM

Hello

we got the same issue.

Microsoft Forefront Protection encountered an error while performing a scan engine update.
   Scan Engine: Kaspersky
   Error Code: 0x80004005
   Error Detail: Description: An error occurred while loading the scan engine.

0x80004005 is a permission issue.

So, we used Process Monitor to track the Access denied issue (filter: Process Name is "ScanEngineTest.exe" and Result is "ACCESS DENIED")

NT AUTHORITY\NETWORK SERVICE didn't have enough rights on C:\Windows\temp\sdk8 directory. ScanEngineTest.exe was unable to create/modify files under C:\Windows\temp\sdk8.

in our case, the owner of C:\Windows\temp\sdk8 was Administrators instead of NETWORK SERVICE.

To resolve the issue, we had to:
- set back NETWORK SERVICE as owner and propagate ownership
- reset permissions (remove all inheritable permissions then check inheritable and replace all child permissions)

After that, NETWORK SERVICE will recover its permissions on C:\Windows\temp\sdk8 subtree

Perform a manual Kaspersky engine update

Regards
Stphane

• Edited by WeetA Tuesday, June 24, 2014 5:29 PM
• Proposed as answer by Dave G. _ Tuesday, June 24, 2014 9:47 PM

Same - works for me here on all 7 systems - deleted the sdk file from temp (quicker) and the next check updated perfectly - will monitor it to make sure it keeps working but thankyou

Andy

Yes, our 15 servers now (after apply this solution) are updating Kaspersky.

Same - works for me here on all 7 systems - deleted the sdk file from temp (quicker) and the next check updated perfectly - will monitor it to make sure it keeps working but thankyou

Andy

This is a quicker way but you have to stop Forefront services because process FSCTransportScanner.exe locks some files under C:\Windows\temp\sdk8

• Edited by WeetA 28 minutes ago

Neil's registry fix worked for me

Thanks

Neill T

In fact, it seems there are two differents problems

- Manual and Local Scheduled updates not working
New Kaspersky update needs to have permissions on C:\Windows\temp\sdk8 for NETWORK SERVICE.
Older Kaspersky updates didn't need them so they were not present. New update doesn't add them.
The proper way to resolve this issue is to stop FSCController and MSExchangeTransport service, remove C:\Windows\temp\sdk8, restart FSCController and MSExchangeTransport service

- Other (Management server ?) scheduled checks not working
Neil's registry solution resolves this issue

In our case, we got both issues :)
After implementing our resolution, we still had Last check failed but not always.
It worked fine for Local Scheduled Checks (Policy Management>Global Settings>Advanced Options, Select Engine, Edit Selected Engine).
But it didn't work every hour at a different minute (maybe checks performed by Management server. Not sure as we are not responsible of the management server)

• Edited by WeetA 18 hours 1 minutes ago

Yes, our 15 servers are now updating Kaspersky  after propagate ownership and permissions on sdk8 folder.

• Edited by Pascual Molina Ruiz 23 hours 33 minutes ago

Yes, our 15 servers are now updating Kaspersky  after propagate ownership and permissions on sdk8 folder.

• Edited by Pascual Molina Ruiz Wednesday, June 25, 2014 11:16 AM

Yes, our 15 servers are now updating Kaspersky  after propagate ownership and permissions on sdk8 folder.

• Edited by Pascual Molina Ruiz Wednesday, June 25, 2014 11:16 AM

I checked on an other customer.
We don't have management servers.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab is not present.

Same - works for me here on all 7 systems - deleted the sdk file from temp (quicker) and the next check updated perfectly - will monitor it to make sure it keeps working but thankyou

Andy

This is a quicker way but you have to stop Forefront services because process FSCTransportScanner.exe locks some files under C:\Windows\temp\sdk8

• Edited by WeetA Wednesday, June 25, 2014 10:20 AM

Same - works for me here on all 7 systems - deleted the sdk file from temp (quicker) and the next check updated perfectly - will monitor it to make sure it keeps working but thankyou

Andy

This is a quicker way but you have to stop Forefront services because process FSCTransportScanner.exe locks some files under C:\Windows\temp\sdk8

• Edited by WeetA Wednesday, June 25, 2014 10:20 AM

Same - works for me here on all 7 systems - deleted the sdk file from temp (quicker) and the next check updated perfectly - will monitor it to make sure it keeps working but thankyou

Andy

This is a quicker way but you have to stop Forefront services because process FSCTransportScanner.exe locks some files under C:\Windows\temp\sdk8

• Edited by WeetA Wednesday, June 25, 2014 10:20 AM

I compared registry key before deletion and after re-creation

The most important difference is missing valus (approx 35) under the following key:[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\sdk\avp8\profiles\AVService\settings]

It was empty before key deletion and re-populated after management server scheduled check

In fact, it seems there are two differents problems

- Manual and Local Scheduled updates not working
New Kaspersky update needs to have permissions on C:\Windows\temp\sdk8 for NETWORK SERVICE.
Older Kaspersky updates didn't need them so they were not present. New update doesn't add them.
The proper way to resolve this issue is to stop FSCController and MSExchangeTransport service, remove C:\Windows\temp\sdk8, restart FSCController and MSExchangeTransport service

- Other (Management server ?) scheduled checks not working
Neil's registry solution resolves this issue

In our case, we got both issues :)
After implementing our resolution, we still had Last check failed but not always.
It worked fine for Local Scheduled Checks (Policy Management>Global Settings>Advanced Options, Select Engine, Edit Selected Engine).
But it didn't work every hour at a different minute (maybe checks performed by Management server. Not sure as we are not responsible of the management server)

• Edited by WeetA Wednesday, June 25, 2014 4:48 PM
• Marked as answer by Bryan Hitch 21 hours 58 minutes ago

In fact, it seems there are two differents problems

- Manual and Local Scheduled updates not working
New Kaspersky update needs to have permissions on C:\Windows\temp\sdk8 for NETWORK SERVICE.
Older Kaspersky updates didn't need them so they were not present. New update doesn't add them.
The proper way to resolve this issue is to stop FSCController and MSExchangeTransport service, remove C:\Windows\temp\sdk8, restart FSCController and MSExchangeTransport service

- Other (Management server ?) scheduled checks not working
Neil's registry solution resolves this issue

In our case, we got both issues :)
After implementing our resolution, we still had Last check failed but not always.
It worked fine for Local Scheduled Checks (Policy Management>Global Settings>Advanced Options, Select Engine, Edit Selected Engine).
But it didn't work every hour at a different minute (maybe checks performed by Management server. Not sure as we are not responsible of the management server)

• Edited by WeetA Wednesday, June 25, 2014 4:48 PM
• Marked as answer by Bryan Hitch Thursday, June 26, 2014 12:51 PM

Unfortunately none of the suggestions are a suitable fix for a production environment on a large estate without knowing the root cause of the change in behavior.  An automatic engine update essentially caused the engine test process to fail leaving servers in various states of responsiveness depending on whether they rolled back cleanly.  The updates may require revised permissions on the temp directory but this is new and should not have just been released automatically.  Unfortunately, Forefront seems to be very re-active in terms of changes/updates to scanning engines.

In our case both the deletion of the KasperskyLabs/sdk registry key and removal of the C:\Windows\temp\sdk8 folder while services were stopped were required to do an update from the management console.  I'll have to wait until a scheduled update runs to see if this is a permanent fix, but it looks better than it did before.

The way this update was pushed out is disappointing.  As an enterprise we depend on the products we pay (a great deal) for to work correctly.  Having to depend on a forum for support when the products don't work is unacceptable.

• Edited by Bryan Hitch 21 hours 20 minutes ago

In our case both the deletion of the KasperskyLabs/sdk registry key and removal of the C:\Windows\temp\sdk8 folder while services were stopped were required to do an update from the management console.  I'll have to wait until a scheduled update runs to see if this is a permanent fix, but it looks better than it did before.

The way this update was pushed out is disappointing.  As an enterprise we depend on the products we pay (a great deal) for to work correctly.  Having to depend on a forum for support when the products don't work is unacceptable.

• Edited by Bryan Hitch Thursday, June 26, 2014 1:30 PM

So I spoke a bit too soon. Stopping the services and deleting the sdk8 folder didn't work. I still needed to explicitly make the Network Service account the owner and give it control of the folder.

>WeetA: In our case, we got both issues

Exactly the same situation, manual update fixed after assigning full control on the C:\Windows\Temp\sdk8 to the NETWORK SERVICE account, while scheduled update via Forefront Protection Server Management Console 2010 fixed after deleting HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\sdk\avp8 key. Thanks a lot for the solution!

• Edited by Vladimir Bazanov 19 hours 5 minutes ago

>WeetA: In our case, we got both issues

Exactly the same situation, manual update fixed after assigning full control on the C:\Windows\Temp\sdk8 to the NETWORK SERVICE account, while scheduled update via Forefront Protection Server Management Console 2010 fixed after deleting HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\sdk\avp8 key. Thanks a lot for the solution!

• Edited by Vladimir Bazanov Friday, June 27, 2014 3:44 PM