Deployment Problems

We recently purchased Avast Standard Suite with 40 licenses. We were previously using Avast Professional Edition 4.8 which expired on 3/31/10. We have sucessfully downloaded the ADNM, ran discovery & all 40 workstations were found. Then ran deployment. The deployment only worked on 9 of our workstations, and those are new machines that did not have Avast Prof 4.8 on them previously. I cannot get the deploy to work on any of our workstations that were previously running Avast Prof Edition. I have uninstalled Avast and then tried to re-run the deployment, but I just get a waiting message and nothing ever loads, and I don’t get any error messages. I’ve even tried to load it manually on the individual workstations. The problem workstations are running XP Pro or Vista. Any suggestions?

What about Windows Firewall??? Did you make a needed hole into firewall? (see ADNM manual)
Manual installation was without problem? Write more info about your IT infrastructure… (domain or workgroup…)
What kind of manual deployment you used? Downloaded *.exe or installation from via ADNM generated .msi file?

I remember, some years ago, in my case there was no problem with upgrade all my WinXP Pro from Avast Pro to Avast Netclient via installation task (and generated .msi also worked fine). See setup.log on your clients.

Welcome to the forums mmmpha,

Please look at your remote install log for more info, and post your log if needed.

This can be found from within the ADNM console:

Click, (from the top toolbar) View > Show AMS Logs > Remote Install

This will bring up the log from all remote installations.

See if it’s a firewall, permissions, or other issue. Google search “avast (error code in log)” and see what you come up with. Or, post back here with your results and we’ll try to help you.

Also, a list of the most common ADNM error codes are available here: http://forum.avast.com/index.php?topic=16991.0

Here is the remote install log from one of the machines. I was logged in as network administrator.

05/25/10 00:14:28: rinstInstall begin
05/25/10 00:14:28: Init 50 60 C:\WINDOWS\TEMP\asw3D.tmp C:\Program Files\Alwil Software\Management Tools\InstPkgs NULL C:\WINDOWS\TEMP\asw3C.tmp 0
05/25/10 00:14:29: Store
05/25/10 00:14:29: Domains: MMM,
05/25/10 00:14:29: Init MMM\D6R2K391
05/25/10 00:14:29: D6R2K391: GetAccount
05/25/10 00:14:29: D6R2K391: Queueing
05/25/10 00:14:29: StartThread
05/25/10 00:14:29: Loop
05/25/10 00:14:29: SpawnThreads
05/25/10 00:14:29: D6R2K391: StartSetup
05/25/10 00:14:29: D6R2K391: Connecting
05/25/10 00:14:29: D6R2K391: Copying files
05/25/10 00:14:29: D6R2K391: Copying aswISvc.exe
05/25/10 00:14:30: D6R2K391: Copying Admin.ini
05/25/10 00:14:30: D6R2K391: aswResp.dat not present
05/25/10 00:14:30: D6R2K391: Copying Tasks.xml
05/25/10 00:14:30: D6R2K391: Copying setup.exe
05/25/10 00:14:30: D6R2K391: Copying setif_av_net-425.vpu
05/25/10 00:14:30: D6R2K391: Copying setup_av_net-425.vpu
05/25/10 00:14:30: D6R2K391: Copying av_net_agent-105.vpu
05/25/10 00:14:30: D6R2K391: Copying av_net_cmn-6b.vpu
05/25/10 00:14:30: D6R2K391: Copying av_net_dll409-89.vpu
05/25/10 00:14:30: D6R2K391: Copying av_pro_dll409-1a9.vpu
05/25/10 00:14:31: D6R2K391: Copying av_pro_hlp409-3ca.vpu
05/25/10 00:14:31: D6R2K391: Copying av_pro_skins-14.vpu
05/25/10 00:14:31: D6R2K391: Copying av_srv_core-3ee.vpu
05/25/10 00:14:31: D6R2K391: Copying av_srv_dll-19d.vpu
05/25/10 00:14:31: D6R2K391: Copying avscan-374.vpu
05/25/10 00:14:31: D6R2K391: Copying winsys-2.vpu
05/25/10 00:14:32: D6R2K391: Copying winsysgui-2.vpu
05/25/10 00:14:32: D6R2K391: Copying vps-10052401.vpu
05/25/10 00:14:35: D6R2K391: Copying vpsm-10052401.vpu
05/25/10 00:14:35: D6R2K391: Copying news405-32.vpu
05/25/10 00:14:35: D6R2K391: Copying news409-3a.vpu
05/25/10 00:14:35: D6R2K391: Copying jrog-2e7.vpu
05/25/10 00:14:36: D6R2K391: Copying part-prg_av_net-425.vpu
05/25/10 00:14:36: D6R2K391: Copying part-vps-10052401.vpu
05/25/10 00:14:36: D6R2K391: Copying part-news-53.vpu
05/25/10 00:14:36: D6R2K391: Copying part-setup_av_net-425.vpu
05/25/10 00:14:36: D6R2K391: Copying part-jrog-2e7.vpu
05/25/10 00:14:36: D6R2K391: Copying prod-av_net.vpu
05/25/10 00:14:36: D6R2K391: Copying jollyroger.vpu
05/25/10 00:14:36: D6R2K391: Copying servers.def
05/25/10 00:14:36: D6R2K391: Creating service
05/25/10 00:14:36: D6R2K391: Starting service
05/25/10 00:15:29: D6R2K391: ReadProgress
05/25/10 00:15:55: D6R2K391: Progress not available (53) - may be restarting
05/25/10 00:15:55: D6R2K391: Unknown state
05/25/10 00:16:29: D6R2K391: ReadProgress
05/25/10 00:16:44: D6R2K391: Progress not available (51) - may be restarting
05/25/10 00:16:44: D6R2K391: Unknown state
05/25/10 00:17:29: D6R2K391: ReadProgress
05/25/10 00:17:29: D6R2K391: Remote setup failed, error 5 (Access is denied)
05/25/10 00:17:29: D6R2K391: Finished with error in remote setup
05/25/10 00:17:29: D6R2K391: ReadLog
05/25/10 00:17:29: D6R2K391: Remote log not available
05/25/10 00:17:29: D6R2K391: RemoveProgress
05/25/10 00:17:29: D6R2K391: CloseConnection
05/25/10 00:17:29: TerminateAll
05/25/10 00:17:29: rinstInstall end 0

Please answer my question about kind of deployment first…
@ Access denied - it is not so important how you are logged into network, but more important is account of deployment tasks (in case you have used installation task for deployment)

The access denied message is usually caused by a firewall. However, it could mean that you aren’t running the installer as a domain administrator account. Make sure that when you type your admin user account in the deploy task, that you’re using the domain\username format. You have to include the domain name as well.

You can do a few things for this (if it’s the firewall).

  1. You can open the appropriate ports that are needed for communication between the client and ADNM console using group policy (this will prevent you from going to each machine and opening the ports manually). It’s a little bit of work, but if you know what you’re doing, it’s the best and easiest way, and you don’t even need to leave your computer chair. I’ll explain about using the group policy to add the ports soon. By the way, this is only for the windows firewall. If you have a third-party firewall installed, then you’ll have to take extra steps to configure them, and most likely will not be controlled by group policy, so you’ll have to do it manually at each machine.

  2. You could disable the firewall completely (manually, on each machine) while you install avast. You can turn it back on once you are done if you wish (and that’s recommended).

  3. You could disable the firewall completely using group policy. Once you do that, the Windows Security Center will complain that no firewall is turned on, and keep warning people. You could add a policy that disables the Windows Security Center as well, that way the users won’t be bothered by it, however, they’ll never see any other warning messages from the security center.

So, if you decide to go opening the ports needed by ADNM, this should help you out.

Take a look at page 74 of the ADNM manual (Chapter 10) available from here: http://www.avast.com/distributed-network-manager#tab4

That page lists the ports needed for Avast clients to run over the internet (not needed) and ports that need to be opened in the firewall just to communicate with the ADNM console.

In group policy (you should probably create a new policy for this), you would add a program exception like so:

%programfiles%\Alwil Software\Avast4\AvAgent.exe

(Make sure that “Allow Local Program exceptions” is enabled, as well as “Allow local port exceptions”)

Then, define the local port exceptions as follows:

16108:TCP:*:Enabled;avast! NetAgent “Remote Chest” feature

16109:TCP:*:Enabled:avast! NetAgent “Apply To” feature

16111:TCP:*:Enabled:AMS basic communication client

5033:TCP:*:Enabled:avast! update mirror access

16102:TCP:*:Enabled:ADNM console access (No need if in DMZ)

6000:UDP:*:Enabled:AMS Discovery (Used only if currently selected AMS is unreachable)

135:TCP:*:Enabled:RPC/NETBIOS for remote deployment of avast.

139:TCP:*:Enabled:RPC/NETBIOS for remote deployment of avast.

445:TCP:*:Enabled:RPC/NETBIOS for remote deployment of avast.

137:UDP:*:Enabled:RPC/NETBIOS for remote deployment of avast.

138:UDP:*:Enabled:RPC/NETBIOS for remote deployment of avast.

Make sure File and Printer sharing is enabled on clients

And that should be it…

Once those exceptions have been applied through group policy (I’d say 15mins or so), you can try the install again.

Again, make sure your credentials are correct on your deploy task, and give group policy some time to replicate to all of your computers for the ports to open. After that, you should be golden!

EDIT added more ports that I just found 6-24-2010

sorry Paba, I know that you posted as I was writing, but I had WAY too much effort into my post!

My knowledge is limited on some of this computer stuff. I am by no means an IT person! We bought Avast from the Avast website because it was what we were already using and it was cheaper than the antivirus software that our outside IT people quoted/recommended. Now, we have probably spent more just trying to get it to work than if we would have purchased the recommendation of them. They are not familiar with Avast and cannot figure it out. (They actually suggested that we try to get our money back.) So here I am trying to get some answers for them. It is all about the principle now…I want to get this working on all the machines. I do not think this is a firewall issue (I could be wrong)because we have gotten it to load on 12 of our machines now with no errors. The only common thread that I can see is that those 12 machines did not previously have Avast loaded on them. We have a domain policy that disables all windows firewalls. I have disabled the Simple File Share in the folder options. We do have a 3rd party firewall, but from what I understand that doesn’t affect the local machines it just protects from the server to the outside.

Deployment…Per our outside IT person he tried about 10 different configurations on 2 of our machines that wont install it. An install package was created in ADNM, then through Tasks we deployed it to the workstations using OurDomain\Administrator login & password. The machines that previously had Avast on them are giving me the error 5-access denied. I’ve logged into these machines with the administrator login just to make sure I had access to them and can do that with no problem. I tried to copy the InstPkgs file folder from the AMS file to a shared drive. Then I went to the local machine, logged in as network administrator and then tried to open the setup.exe file inside the InstPkgs folder and it wouldn’t open. I got the hourglass and then a flash but nothing happened or opened. Is there something else I have to do to try and load this manually from the local machine?

I also ran the uninstaller from the Avast website on one of our machines thinking maybe something from our previous version of Avast Prof is still there that is not allowing us to install. But still have had no luck.

Should I need to open any ports if we have all windows firewalls disabled? or are there necessary ports that need to be opened with a third party firewall? Any suggestions?

??? You can see pfirewall.log on problematic stations or see if firewall services is stopped. Than you have to be sure, if personal firewall is stopped or not. But when you deploy Avast properly, Windows firewall shouldn’t be a problem. I use Windows firewall (with holes into) on all my WinXP Pro stations and ADNM works properly.

Try aswcleaner again (best after booting into emergency mode) on one of workstations and try to deploy Avast on it. Check if all registry setting are cleaned (HKLM\software\Alwill…) But I’m not sure if it is solution of your problem, because I count that problem must be somewhere else… Maybe in your IT infrastructure…?

I got the hourglass and then a flash but nothing happened or opened. Is there something else I have to do to try and load this manually from the local machine?
1. In ADNM console define installation package for NetClient, create installation task and choose "Only generate MSI..." option. After you successfully create MSI package into some shared directory, try to run it from workstation (and deploy Avast Netclient locally). I never tried deploy Netclient running setup.exe from Instpkgs folder.
Should I need to open any ports if we have all windows firewalls disabled? or are there necessary ports that need to be opened with a third party firewall? Any suggestions?
What kind of third party firewall you mean? Firewall on gateway into internet or personal firewall on stations??? When you run any personal firewall on station, you have to make a hole into it, when you want to manage your stations (and deploy Avast remotely). But you wrote, that (personal) firewall is stopped...? I'm not sure, if I understand your description well...

Well, this is an odd one then.

If you have the firewall disabled, then no, you won’t need to open any ports, as they should already be available.

If you ran the uninstaller on one of the machines and it still wouldn’t allow avast to be installed, either by remote deployment or manual installation via a MSI file, something has gone awry.

My suggestion would be to try to find out if one of the “trouble computers” have been infected by a virus or malware that prevents avast’s installation. I know it’s a long shot at this point, but I guess it doesn’t hurt to try. Try downloading malwarebytes from www.malwarebytes.org and give one of the computers a quick scan.

If nothing bad is found, check the event log and make sure the computer has all of it’s updates.

It’s troubling to me that you’re having so many problems with this. Hopefully something dumb is set wrong somewhere and we figure it out.

Just another shot in the dark, you say

The only common thread that I can see is that those 12 machines did not previously have Avast loaded on them.

Was there another A/V product on these computers, or were they unprotected? Bad uninstalls can cause all kinds of issues, especially with that Norton / McAfee crap.

Another thing:

We do have a 3rd party firewall, but from what I understand that doesn’t affect the local machines it just protects from the server to the outside.

I know you’re not a computer person, but maybe you can get this answer from your IT people, is it a software firewall installed on the server, or are we talking about a hardware appliance that sits between your internet gateway (cable modem, CSU/DSU, whatever you have) and the server? Maybe just a simple router (like a linksys or something)?

It is odd that it would allow some computers to install and not others, so you’re probably right that this isn’t the issue, but it’s worth looking at if it has logs of some sort that can be reviewed.

Hope to get you up and running soon! I’m sure you’ll love it once it’s installed…

Here is a message I got from one of our users after he ran the downloaded Avast uninstall tool. Does this mean anything?

Before running the “Uninstall tool” and after running the "Uninstall tool, these Avast files were present and still remain on my computer.

Avast4 C:\Program files\Alwil Software\setup.ini (or setup.log)
AVASTSS.SCR-00276811.pf C:\Windows\Prefetch (Unable to open)
AVASTSS.scr C:\Windows\System32 (Unable to open)
avast4 C:\Windows/Temp (File empty)

I guess the user didn’t have permission to open those files, or they were already running in another process.

I emailed our IT guys a copy of this web forum discussion/advice. Please see my email and his replys below…

David/Chris:
Could you please read through this discussion from the Web Forum and see if anything sheds a light on why we can’t get the program to load on some of our computers. Did you look at the errors in the setup logs? From the ones I have had Cheryl test we are getting error 5 – Access denied. Is the mmmxptemp computer that this ADNM is running on able to talk to these local machines?

I don’t know this for sure because I don’t know exactly what machines David Rice had loaded the previous Avast product on, but it seems like the machines that were previously running the Avast Professional 4.8 are the ones that will not load. Can you try and use the Avast uninstall that I had sent to Mickey? I am leary about letting anyone at the office to run it because of what happened to Mickey’s computer after he ran it. Maybe if it was ran properly it could remove all Avast files and allow the deploy to work.

My other thought is I think the machines that are giving us the error 5 – Access denied are all machines that our previous network guy set up for us. It seems like any new machines set up by you have taken the program just fine. Could it be how the machines were set up differently by Matt this is not allowing the install to access the machine.

I know you said our windows firewalls are disabled by a domain policy, but what about our other firewall, would that have any affect? I wouldn’t think it is a firewall issue because I thought the firewall is only on the server not the individual workstations.

Please let me know your thoughts.
mmmpha

mmmpha:
I know Chris has followed those steps from the Avast site regarding the removal tool to the letter on those two machines that he was working on. The user that mmmxptemp is logged in as is the Domain Administrator and should have full permissions to every machine on the network. The machines have all been removed from the old domain and joined to the new one that was created when the new servers were installed. Anything the other network guy or David Rice had done was rendered null at that point. The only other firewall on your network is the firewall on your Internet connection and that doesn’t have any bearing on installing this software; it’s strictly to keep the outside world out of your network.
My opinion on this would be to try and get a refund from Avast. Clearly their support is sub-par and I don’t know that continuing to pursue this isn’t just a waste of everyone’s time and energy. Installing any piece of software shouldn’t be this difficult, especially when you are upgrading from the same company’s software to a newer version.

-David

David:
I wasn’t referring to the network settings that the previous guy set up, I was referring to the local policies on the individual machines…would that make a difference?
-mmmpha

mmmpha:
No the local policies are over-ridden by domain policy. If the local policies were blocking anything we wouldn’t be able to install or remove anything from those machines, and that isn’t the case.
-David

Well, I guess you could take your IT consultants advice and get a refund if you’d like.

It’s totally up to you.

If not, we’ll still try to help you get further.

I wonder that you solve this problem, when you are not, as you wrote “IT person”. Such problem should be job for your IT admin, not for advanced user or manager. Otherwise is very difficult to give helpful advice.
I’m not sure, if refund and other antivirus will void of your problem. Before do it, I recommend, ask your IT admin to try manual installation on local workstation from MSI generated in install tasks (as I wrote previously).

Paba…Our IT guys have already tried the manual installation, MSI, and all other methods recommended in the ADMN manual or here on the web forum. They have even sent an email to tech support. It took tech support 9 days to reply and the reply was very generic help of which had already been tried. It shouldn’t be this difficult to load a program espcially since we were already on avast. The machines that were not previously running avast loaded very easily, but for some strange reason they cannot get the machines previously running Avast Prof 4.8 to load.

Did they use aswcleaner to remove unmanaged Avast? Did they use properly?
I tried aswcleaner some year ago (1-2) and it worked fine. But it was not necessaryfor me to use it, because I used previous version of 4.8, without self protection.
I can only recommend your IT guys to try aswcleaner after booting into Safe mode, than see registry in HKLM\software\Alwill… (and other) if Avast remover properly clean registry entries from rest of Avast. And if there are any suspection on corrupted Windows files, they can run System file checker (SFC /scannow) It need installation files (typically need CD) so best way is to copy them on disk and change registry value named ServicePackSourcePath and SourcePath with proper path to I386 directory.