Troubleshooting
Endpoints offline since August 17, 2023
You may notice that some Windows endpoints appear offline in Control Center since August 17, or the latest date a product update has been attempted. The event that led to this status is the agent update to version 7.9.5.318, released on Fast ring.
The update intends to replace the vlflt driver file with a new version and stop the services associated with this old version. In some corner cases, this driver did not stop properly, causing loss of communication with GravityZone.
The following product versions can be affected when updating to version 7.9.5.318, on Fast ring: 7.8.4.268, 7.8.4.270, 7.9.1.280, 7.9.1.281, 7.9.1.283, 7.9.1.285, 7.9.2.289, 7.9.2.290, 7.9.3.296, 7.9.3.297, 7.9.3.298, 7.9.4.303, 7.9.4.306, and 7.9.4.313.
To check if your endpoints are offline because of this issue, you must verify the service status of epsecurityservice and vlflt on the affected endpoint. If epsecurityservice is stopped and vlflt is stopped or pending, then the endpoint is affected.
You can check the service status from an elevated command prompt, by running the following commands:
sc query epsecurityservice
sc query vlflt
To fix this issue, you must reboot the endpoint for version 7.9.5.322 to become available. After the update, you can reboot the endpoint again at your earliest convenience.
Finding the product version of BEST in registry editor
This method helps you check the product version when BEST runs in silent mode, and the application icon is missing from the Notification area.
On the target endpoint, follow these steps:
Press Win + R to open the Run window.
Type
regeditand press Enter to open the registry editor.Click Yes if prompted by User Account Control.
Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Endpoint Security.Find the
DisplayVersionregistry key. Its value displays the product version of the agent installed on the endpoint.
BEST services not running on Windows 7
BEST services might not start on Windows 7 operating systems (32-bit or 64-bit) that are not up-to-date. Trying to manually launch the Security Console results in the following crash report:
When encountering this issue, you must install Microsoft security update KB2533623 on the endpoint where the error occurs. You can download the KB2533623 from Microsoft by selecting the Windows 7 operating system and architecture.
Note
We strongly recommend that you update your operating system on a regular basis with the latest security patches, updates, and drivers.
You can download the latest KB4457144, with additional fixes including KB2533623, from Microsoft.
Details of KB4457144: September 11, 2018—KB4457144 (Monthly Rollup).
Standalone package: Microsoft Update Catalog - KB4457144.
Note
Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, visit the Microsoft website.
Cloning a Windows system containing BEST without using the Sysprep tool
This section provides a solution for situations when you cannot use the Sysprep tool to clone a Windows system that has the Bitdefender security agent installed.
This section addresses the scenario where you use other solutions instead, such as VMWare QuickPrep.
Issue
When cloning a Windows system, Sysprep tool is not able to reset the unique ID generated by the Bitdefender agent and used by GravityZone for identification. If you create a clone without resetting the ID, the machine will have duplicate entries in the GravityZone inventory.
Solution
Note
You must perform these steps before completing the Windows image and before you start deploying it on other endpoints.
When you cannot use Sysprep to reset the unique ID assigned to each managed system, follow these steps:
Run the patch.
Restart the machine immediately and the unique identifier will be regenerated.
Cloning a Windows system containing BEST by using the Sysprep tool
This section shows how to troubleshoot cloning a Windows system with the Sysprep /generalize command when Endpoint Security, Bitdefender Tools, or Bitdefender Endpoint Security Tools (BEST) are already installed.
Symptoms
When using the System Preparation tool by running the Sysprep /generalize command, and antivirus is present on the endpoint you want to clone, Sysprep may be unable to run properly due to antivirus self-protection.
The following error message may be displayed at Windows startup: "Windows could not finish configuring the system. To attempt to resume configuration, restart the computer."
Troubleshooting
This procedure applies if one of the following Bitdefender security agents is installed on the endpoint: Bitdefender Endpoint Security Tools (BEST), Endpoint Security, and Bitdefender Tools.
To determine if the issue is generated by the Bitdefender security agent:
Press Shift+F10 to open a Command Prompt window.
Navigate to
C:WindowsPanther.Copy the
Setup.etlfile from the corrupted system to a second Windows machine.Note
For ease of access, you may put it on the root of the
C:drive.Open a Command Prompt window on the second Windows computer.
Navigate to the location where you saved the file.
Type
tracerpt setup.etl -o logfile.csvOpen
logfile.csvin your text editor of choice.Search for the "Failed to process reg key or one of its descendants" message.
For example: "Failed to process reg key or one of its descendants: [REGISTRYMACHINESOFTWAREBitdefender]"
If the message is present, continue to the Solution section.
Solution
To overcome this error when the endpoint is protected by Bitdefender, follow these steps:
For environments with Active Directory
Make sure that Windows OS and Endpoint Security by Bitdefender are up to date.
Create a Group Policy Object (GPO):
Open the Group Policy Management Editor.
Go to Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown).
Select Shutdown.
In the Shutdown Properties window, click Add.
Add the script to be run at every shutdown.
Right-click on the Organizational Unit in which the Master Machine was added (the machine that will be used for
sysprep) and select Link an existing GPO.Select the GPO that was previously created.
Click OK.
From an elevated command prompt run the following command:
C:\Windows\System32\Sysprep\sysprep.exe /generalizeIn the System Preparation Tool window, select Shutdown from the Shutdown Options drop-down.
Click OK.
For environments without Active Directory
Make sure that Windows OS and Endpoint Security by Bitdefender are up to date.
Modify the local policy:
Open the Local Group Policy Editor.
Go to Computer Configuration > Windows Settings > Scripts (Startup/Shutdown).
Select Shutdown.
In the Shutdown Properties window, click Add.
Add the script to be run at every shutdown.
From an elevated command prompt run the following command:
C:\Windows\System32\Sysprep\sysprep.exe /generalizeIn the System Preparation Tool window, select Shutdown from the Shutdown Options drop-down.
Click OK.
Remove the newly added script from the newly cloned machine.
Note
Bitdefender Endpoint Security Patch for Sysprep is updated regularly, so before cloning the virtual machine, download the patch again to make sure that you have the latest version.
Related articles
Microsoft Technet articles:
Sysprep (Generalize) a Windows installation
Windows could not finish configuring the system error after sysprep /generalize
Tamper Protection in Bitdefender Endpoint Security Tools for Windows
This section explains the role of Tamper Protection in Bitdefender Endpoint Security Tools for Windows.
Tamper Protection is a functionality that prevents BEST for Windows from being disabled or deleted by malicious software.
Tamper Protection prevents the following actions:
Changing or deleting the product files.
Editing or deleting the registry keys of BEST.
Stopping BEST processes.
This functionality is automatically activated in BEST.
Additionally, GravityZone administrators can configure an uninstall password via policy to prevent unauthorized removal of BEST by local administrators.