Skip to main content

Troubleshooting

Endpoints offline since August 17, 2023

You may notice that some Windows endpoints appear offline in Control Center since August 17, or the latest date a product update has been attempted. The event that led to this status is the agent update to version 7.9.5.318, released on Fast ring.

The update intends to replace the vlflt driver file with a new version and stop the services associated with this old version. In some corner cases, this driver did not stop properly, causing loss of communication with GravityZone.

The following product versions can be affected when updating to version 7.9.5.318, on Fast ring: 7.8.4.268, 7.8.4.270, 7.9.1.280, 7.9.1.281, 7.9.1.283, 7.9.1.285, 7.9.2.289, 7.9.2.290, 7.9.3.296, 7.9.3.297, 7.9.3.298, 7.9.4.303, 7.9.4.306, and 7.9.4.313.

To check if your endpoints are offline because of this issue, you must verify the service status of epsecurityservice and vlflt on the affected endpoint. If epsecurityservice is stopped and vlflt is stopped or pending, then the endpoint is affected.

You can check the service status from an elevated command prompt, by running the following commands:

sc query epsecurityservice
sc query vlflt

To fix this issue, you must reboot the endpoint for version 7.9.5.322 to become available. After the update, you can reboot the endpoint again at your earliest convenience.

Finding the product version of BEST in registry editor

This method helps you check the product version when BEST runs in silent mode, and the application icon is missing from the Notification area.

On the target endpoint, follow these steps:

  1. Press Win + R to open the Run window.

  2. Type regedit and press Enter to open the registry editor.

    Click Yes if prompted by User Account Control.

  3. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Endpoint Security.

  4. Find the DisplayVersion registry key. Its value displays the product version of the agent installed on the endpoint.

Using the Power User module

Enabling the Power User module in BEST allows you to use it for troubleshooting purposes (for example: policy settings or exclusions).

Overview

Power User is a module designed for troubleshooting purposes and gives you administrative rights at endpoint level.

You can access and change policy settings locally, through the BEST interface.

Note

Through Power User, you can access the settings of a limited set of modules such as:

  • Antimalware

  • Firewall

  • Network Protection

  • Device Control

Enable Power User

Once the module is installed on the machine, follow these steps:

  1. Go to the Policies page.

  2. Select the applied policy or the one that you want to apply on your endpoints.

    16991_3.png

  3. Go to General and click Settings.

  4. Select the Power User check box.

  5. Set a password.

  6. Click the Save button.

  7. Apply the policy, if it was not applied previously.

    power-user-console-settings.png

Access Power User

To access Power User, follow these steps:

  1. Right-click the system tray icon of BEST, and select Power User from the contextual menu.

    Power_User.png

  2. Enter the password in the login window. The Power User window is displayed. Here you can view the policy settings.

  3. Modify the policy settings you are interested in. For more information, refer to Security management.

BEST services not running on Windows 7

BEST services might not start on Windows 7 operating systems (32-bit or 64-bit) that are not up-to-date. Trying to manually launch the Security Console results in the following crash report:

22064_1.png

When encountering this issue, you must install Microsoft security update KB2533623 on the endpoint where the error occurs. You can download the KB2533623 from Microsoft by selecting the Windows 7 operating system and architecture.

Note

We strongly recommend that you update your operating system on a regular basis with the latest security patches, updates, and drivers.

You can download the latest KB4457144, with additional fixes including KB2533623, from Microsoft.

Note

Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, visit the Microsoft website.

Cloning a Windows system containing BEST without using the Sysprep tool

This section provides a solution for situations when you cannot use the Sysprep tool to clone a Windows system that has the Bitdefender security agent installed.

This section addresses the scenario where you use other solutions instead, such as VMWare QuickPrep.

Issue

When cloning a Windows system, Sysprep tool is not able to reset the unique ID generated by the Bitdefender agent and used by GravityZone for identification. If you create a clone without resetting the ID, the machine will have duplicate entries in the GravityZone inventory.

Solution

Note

You must perform these steps before completing the Windows image and before you start deploying it on other endpoints.

When you cannot use Sysprep to reset the unique ID assigned to each managed system, follow these steps:

  1. Download Bitdefender Endpoint Security Patch for Sysprep.

  2. Run the patch.

  3. Restart the machine immediately and the unique identifier will be regenerated.

Cloning a Windows system containing BEST by using the Sysprep tool

This section shows how to troubleshoot cloning a Windows system with the Sysprep /generalize command when Endpoint Security, Bitdefender Tools, or Bitdefender Endpoint Security Tools (BEST) are already installed.

Symptoms

When using the System Preparation tool by running the Sysprep /generalize command, and antivirus is present on the endpoint you want to clone, Sysprep may be unable to run properly due to antivirus self-protection.

The following error message may be displayed at Windows startup: "Windows could not finish configuring the system. To attempt to resume configuration, restart the computer."

8259_1.png

Troubleshooting

This procedure applies if one of the following Bitdefender security agents is installed on the endpoint: Bitdefender Endpoint Security Tools (BEST), Endpoint Security, and Bitdefender Tools.

To determine if the issue is generated by the Bitdefender security agent:

  1. Press Shift+F10 to open a Command Prompt window.

  2. Navigate to C:WindowsPanther.

  3. Copy the Setup.etl file from the corrupted system to a second Windows machine.

    Note

    For ease of access, you may put it on the root of the C: drive.

  4. Open a Command Prompt window on the second Windows computer.

  5. Navigate to the location where you saved the file.

  6. Type tracerpt setup.etl -o logfile.csv

  7. Open logfile.csv in your text editor of choice.

  8. Search for the "Failed to process reg key or one of its descendants" message.

    For example: "Failed to process reg key or one of its descendants: [REGISTRYMACHINESOFTWAREBitdefender]"

    If the message is present, continue to the Solution section.

Solution

To overcome this error when the endpoint is protected by Bitdefender, follow these steps:

For environments with Active Directory

  1. Make sure that Windows OS and Endpoint Security by Bitdefender are up to date.

  2. Download Bitdefender Endpoint Security Patch for Sysprep.

  3. Create a Group Policy Object (GPO):

    1. Open the Group Policy Management Editor.

    2. Go to Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown).

    3. Select Shutdown.

      group_policy_management__with_AD_67959.png

    4. In the Shutdown Properties window, click Add.

    5. Add the script to be run at every shutdown.

      shutdown_properties_67959.png

  4. Right-click on the Organizational Unit in which the Master Machine was added (the machine that will be used for sysprep) and select Link an existing GPO.

  5. Select the GPO that was previously created.

    group_policy_assigned_67959.png

  6. Click OK.

  7. From an elevated command prompt run the following command:

    C:\Windows\System32\Sysprep\sysprep.exe /generalize

  8. In the System Preparation Tool window, select Shutdown from the Shutdown Options drop-down.

    system_preparation_tool_67959.png

  9. Click OK.

For environments without Active Directory

  1. Make sure that Windows OS and Endpoint Security by Bitdefender are up to date.

  2. Download Bitdefender Endpoint Security Patch for Sysprep.

  3. Modify the local policy:

    1. Open the Local Group Policy Editor.

    2. Go to Computer Configuration > Windows Settings > Scripts (Startup/Shutdown).

    3. Select Shutdown.

      group_policy_management_without_AD_67959.png

    4. In the Shutdown Properties window, click Add.

    5. Add the script to be run at every shutdown.

      shutdown_properties_67959.png

  4. From an elevated command prompt run the following command:

    C:\Windows\System32\Sysprep\sysprep.exe /generalize

  5. In the System Preparation Tool window, select Shutdown from the Shutdown Options drop-down.

    system_preparation_tool_67959.png

  6. Click OK.

  7. Remove the newly added script from the newly cloned machine.

    Note

    Bitdefender Endpoint Security Patch for Sysprep is updated regularly, so before cloning the virtual machine, download the patch again to make sure that you have the latest version.

Related articles

Microsoft Technet articles:

What is Sysprep?

Sysprep (Generalize) a Windows installation

Windows could not finish configuring the system error after sysprep /generalize

Tamper Protection in Bitdefender Endpoint Security Tools for Windows

This section explains the role of Tamper Protection in Bitdefender Endpoint Security Tools for Windows.

Tamper Protection is a functionality that prevents BEST for Windows from being disabled or deleted by malicious software.

Tamper Protection prevents the following actions:

  • Changing or deleting the product files.

  • Editing or deleting the registry keys of BEST.

  • Stopping BEST processes.

This functionality is automatically activated in BEST.

Additionally, GravityZone administrators can configure an uninstall password via policy to prevent unauthorized removal of BEST by local administrators.

In this section: